Switch to keybase go-crypto (for some elliptic curve key) + test (#1925)
* Switch to keybase go-crypto (for some elliptic curve key) + test
* Use assert.NoError
and add a little more context to failing test description
* Use assert.(No)Error everywhere 🌈
and assert.Error in place of .Nil/.NotNil
release/v1.2
parent
5e92b82ac6
commit
274149dd14
@ -0,0 +1,27 @@
|
|||||||
|
Copyright (c) 2009 The Go Authors. All rights reserved.
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without
|
||||||
|
modification, are permitted provided that the following conditions are
|
||||||
|
met:
|
||||||
|
|
||||||
|
* Redistributions of source code must retain the above copyright
|
||||||
|
notice, this list of conditions and the following disclaimer.
|
||||||
|
* Redistributions in binary form must reproduce the above
|
||||||
|
copyright notice, this list of conditions and the following disclaimer
|
||||||
|
in the documentation and/or other materials provided with the
|
||||||
|
distribution.
|
||||||
|
* Neither the name of Google Inc. nor the names of its
|
||||||
|
contributors may be used to endorse or promote products derived from
|
||||||
|
this software without specific prior written permission.
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||||
|
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
@ -0,0 +1,22 @@
|
|||||||
|
Additional IP Rights Grant (Patents)
|
||||||
|
|
||||||
|
"This implementation" means the copyrightable works distributed by
|
||||||
|
Google as part of the Go project.
|
||||||
|
|
||||||
|
Google hereby grants to You a perpetual, worldwide, non-exclusive,
|
||||||
|
no-charge, royalty-free, irrevocable (except as stated in this section)
|
||||||
|
patent license to make, have made, use, offer to sell, sell, import,
|
||||||
|
transfer and otherwise run, modify and propagate the contents of this
|
||||||
|
implementation of Go, where such license applies only to those patent
|
||||||
|
claims, both currently owned or controlled by Google and acquired in
|
||||||
|
the future, licensable by Google that are necessarily infringed by this
|
||||||
|
implementation of Go. This grant does not include claims that would be
|
||||||
|
infringed only as a consequence of further modification of this
|
||||||
|
implementation. If you or your agent or exclusive licensee institute or
|
||||||
|
order or agree to the institution of patent litigation against any
|
||||||
|
entity (including a cross-claim or counterclaim in a lawsuit) alleging
|
||||||
|
that this implementation of Go or any code incorporated within this
|
||||||
|
implementation of Go constitutes direct or contributory patent
|
||||||
|
infringement, or inducement of patent infringement, then any patent
|
||||||
|
rights granted to you under this License for this implementation of Go
|
||||||
|
shall terminate as of the date such litigation is filed.
|
@ -0,0 +1,134 @@
|
|||||||
|
// Package brainpool implements Brainpool elliptic curves.
|
||||||
|
// Implementation of rcurves is from github.com/ebfe/brainpool
|
||||||
|
// Note that these curves are implemented with naive, non-constant time operations
|
||||||
|
// and are likely not suitable for enviroments where timing attacks are a concern.
|
||||||
|
package brainpool
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/elliptic"
|
||||||
|
"math/big"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
once sync.Once
|
||||||
|
p256t1, p384t1, p512t1 *elliptic.CurveParams
|
||||||
|
p256r1, p384r1, p512r1 *rcurve
|
||||||
|
)
|
||||||
|
|
||||||
|
func initAll() {
|
||||||
|
initP256t1()
|
||||||
|
initP384t1()
|
||||||
|
initP512t1()
|
||||||
|
initP256r1()
|
||||||
|
initP384r1()
|
||||||
|
initP512r1()
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP256t1() {
|
||||||
|
p256t1 = &elliptic.CurveParams{Name: "brainpoolP256t1"}
|
||||||
|
p256t1.P, _ = new(big.Int).SetString("A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 16)
|
||||||
|
p256t1.N, _ = new(big.Int).SetString("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16)
|
||||||
|
p256t1.B, _ = new(big.Int).SetString("662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04", 16)
|
||||||
|
p256t1.Gx, _ = new(big.Int).SetString("A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4", 16)
|
||||||
|
p256t1.Gy, _ = new(big.Int).SetString("2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE", 16)
|
||||||
|
p256t1.BitSize = 256
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP256r1() {
|
||||||
|
twisted := p256t1
|
||||||
|
params := &elliptic.CurveParams{
|
||||||
|
Name: "brainpoolP256r1",
|
||||||
|
P: twisted.P,
|
||||||
|
N: twisted.N,
|
||||||
|
BitSize: twisted.BitSize,
|
||||||
|
}
|
||||||
|
params.Gx, _ = new(big.Int).SetString("8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", 16)
|
||||||
|
params.Gy, _ = new(big.Int).SetString("547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", 16)
|
||||||
|
z, _ := new(big.Int).SetString("3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0", 16)
|
||||||
|
p256r1 = newrcurve(twisted, params, z)
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP384t1() {
|
||||||
|
p384t1 = &elliptic.CurveParams{Name: "brainpoolP384t1"}
|
||||||
|
p384t1.P, _ = new(big.Int).SetString("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53", 16)
|
||||||
|
p384t1.N, _ = new(big.Int).SetString("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", 16)
|
||||||
|
p384t1.B, _ = new(big.Int).SetString("7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE1D2074AA263B88805CED70355A33B471EE", 16)
|
||||||
|
p384t1.Gx, _ = new(big.Int).SetString("18DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AABFFC4FF191B946A5F54D8D0AA2F418808CC", 16)
|
||||||
|
p384t1.Gy, _ = new(big.Int).SetString("25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CCFE469408584DC2B2912675BF5B9E582928", 16)
|
||||||
|
p384t1.BitSize = 384
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP384r1() {
|
||||||
|
twisted := p384t1
|
||||||
|
params := &elliptic.CurveParams{
|
||||||
|
Name: "brainpoolP384r1",
|
||||||
|
P: twisted.P,
|
||||||
|
N: twisted.N,
|
||||||
|
BitSize: twisted.BitSize,
|
||||||
|
}
|
||||||
|
params.Gx, _ = new(big.Int).SetString("1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E", 16)
|
||||||
|
params.Gy, _ = new(big.Int).SetString("8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315", 16)
|
||||||
|
z, _ := new(big.Int).SetString("41DFE8DD399331F7166A66076734A89CD0D2BCDB7D068E44E1F378F41ECBAE97D2D63DBC87BCCDDCCC5DA39E8589291C", 16)
|
||||||
|
p384r1 = newrcurve(twisted, params, z)
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP512t1() {
|
||||||
|
p512t1 = &elliptic.CurveParams{Name: "brainpoolP512t1"}
|
||||||
|
p512t1.P, _ = new(big.Int).SetString("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3", 16)
|
||||||
|
p512t1.N, _ = new(big.Int).SetString("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", 16)
|
||||||
|
p512t1.B, _ = new(big.Int).SetString("7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E", 16)
|
||||||
|
p512t1.Gx, _ = new(big.Int).SetString("640ECE5C12788717B9C1BA06CBC2A6FEBA85842458C56DDE9DB1758D39C0313D82BA51735CDB3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9035DA", 16)
|
||||||
|
p512t1.Gy, _ = new(big.Int).SetString("5B534BD595F5AF0FA2C892376C84ACE1BB4E3019B71634C01131159CAE03CEE9D9932184BEEF216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332", 16)
|
||||||
|
p512t1.BitSize = 512
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP512r1() {
|
||||||
|
twisted := p512t1
|
||||||
|
params := &elliptic.CurveParams{
|
||||||
|
Name: "brainpoolP512r1",
|
||||||
|
P: twisted.P,
|
||||||
|
N: twisted.N,
|
||||||
|
BitSize: twisted.BitSize,
|
||||||
|
}
|
||||||
|
params.Gx, _ = new(big.Int).SetString("81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822", 16)
|
||||||
|
params.Gy, _ = new(big.Int).SetString("7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892", 16)
|
||||||
|
z, _ := new(big.Int).SetString("12EE58E6764838B69782136F0F2D3BA06E27695716054092E60A80BEDB212B64E585D90BCE13761F85C3F1D2A64E3BE8FEA2220F01EBA5EEB0F35DBD29D922AB", 16)
|
||||||
|
p512r1 = newrcurve(twisted, params, z)
|
||||||
|
}
|
||||||
|
|
||||||
|
// P256t1 returns a Curve which implements Brainpool P256t1 (see RFC 5639, section 3.4)
|
||||||
|
func P256t1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p256t1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P256r1 returns a Curve which implements Brainpool P256r1 (see RFC 5639, section 3.4)
|
||||||
|
func P256r1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p256r1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P384t1 returns a Curve which implements Brainpool P384t1 (see RFC 5639, section 3.6)
|
||||||
|
func P384t1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p384t1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P384r1 returns a Curve which implements Brainpool P384r1 (see RFC 5639, section 3.6)
|
||||||
|
func P384r1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p384r1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P512t1 returns a Curve which implements Brainpool P512t1 (see RFC 5639, section 3.7)
|
||||||
|
func P512t1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p512t1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P512r1 returns a Curve which implements Brainpool P512r1 (see RFC 5639, section 3.7)
|
||||||
|
func P512r1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p512r1
|
||||||
|
}
|
@ -0,0 +1,83 @@
|
|||||||
|
package brainpool
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/elliptic"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
var _ elliptic.Curve = (*rcurve)(nil)
|
||||||
|
|
||||||
|
type rcurve struct {
|
||||||
|
twisted elliptic.Curve
|
||||||
|
params *elliptic.CurveParams
|
||||||
|
z *big.Int
|
||||||
|
zinv *big.Int
|
||||||
|
z2 *big.Int
|
||||||
|
z3 *big.Int
|
||||||
|
zinv2 *big.Int
|
||||||
|
zinv3 *big.Int
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
two = big.NewInt(2)
|
||||||
|
three = big.NewInt(3)
|
||||||
|
)
|
||||||
|
|
||||||
|
func newrcurve(twisted elliptic.Curve, params *elliptic.CurveParams, z *big.Int) *rcurve {
|
||||||
|
zinv := new(big.Int).ModInverse(z, params.P)
|
||||||
|
return &rcurve{
|
||||||
|
twisted: twisted,
|
||||||
|
params: params,
|
||||||
|
z: z,
|
||||||
|
zinv: zinv,
|
||||||
|
z2: new(big.Int).Exp(z, two, params.P),
|
||||||
|
z3: new(big.Int).Exp(z, three, params.P),
|
||||||
|
zinv2: new(big.Int).Exp(zinv, two, params.P),
|
||||||
|
zinv3: new(big.Int).Exp(zinv, three, params.P),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) toTwisted(x, y *big.Int) (*big.Int, *big.Int) {
|
||||||
|
var tx, ty big.Int
|
||||||
|
tx.Mul(x, curve.z2)
|
||||||
|
tx.Mod(&tx, curve.params.P)
|
||||||
|
ty.Mul(y, curve.z3)
|
||||||
|
ty.Mod(&ty, curve.params.P)
|
||||||
|
return &tx, &ty
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) fromTwisted(tx, ty *big.Int) (*big.Int, *big.Int) {
|
||||||
|
var x, y big.Int
|
||||||
|
x.Mul(tx, curve.zinv2)
|
||||||
|
x.Mod(&x, curve.params.P)
|
||||||
|
y.Mul(ty, curve.zinv3)
|
||||||
|
y.Mod(&y, curve.params.P)
|
||||||
|
return &x, &y
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) Params() *elliptic.CurveParams {
|
||||||
|
return curve.params
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) IsOnCurve(x, y *big.Int) bool {
|
||||||
|
return curve.twisted.IsOnCurve(curve.toTwisted(x, y))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) Add(x1, y1, x2, y2 *big.Int) (x, y *big.Int) {
|
||||||
|
tx1, ty1 := curve.toTwisted(x1, y1)
|
||||||
|
tx2, ty2 := curve.toTwisted(x2, y2)
|
||||||
|
return curve.fromTwisted(curve.twisted.Add(tx1, ty1, tx2, ty2))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) Double(x1, y1 *big.Int) (x, y *big.Int) {
|
||||||
|
return curve.fromTwisted(curve.twisted.Double(curve.toTwisted(x1, y1)))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) ScalarMult(x1, y1 *big.Int, scalar []byte) (x, y *big.Int) {
|
||||||
|
tx1, ty1 := curve.toTwisted(x1, y1)
|
||||||
|
return curve.fromTwisted(curve.twisted.ScalarMult(tx1, ty1, scalar))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) ScalarBaseMult(scalar []byte) (x, y *big.Int) {
|
||||||
|
return curve.fromTwisted(curve.twisted.ScalarBaseMult(scalar))
|
||||||
|
}
|
@ -0,0 +1,20 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
DATA ·REDMASK51(SB)/8, $0x0007FFFFFFFFFFFF
|
||||||
|
GLOBL ·REDMASK51(SB), 8, $8
|
||||||
|
|
||||||
|
DATA ·_121666_213(SB)/8, $996687872
|
||||||
|
GLOBL ·_121666_213(SB), 8, $8
|
||||||
|
|
||||||
|
DATA ·_2P0(SB)/8, $0xFFFFFFFFFFFDA
|
||||||
|
GLOBL ·_2P0(SB), 8, $8
|
||||||
|
|
||||||
|
DATA ·_2P1234(SB)/8, $0xFFFFFFFFFFFFE
|
||||||
|
GLOBL ·_2P1234(SB), 8, $8
|
@ -0,0 +1,88 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
// func cswap(inout *[5]uint64, v uint64)
|
||||||
|
TEXT ·cswap(SB),7,$0
|
||||||
|
MOVQ inout+0(FP),DI
|
||||||
|
MOVQ v+8(FP),SI
|
||||||
|
|
||||||
|
CMPQ SI,$1
|
||||||
|
MOVQ 0(DI),SI
|
||||||
|
MOVQ 80(DI),DX
|
||||||
|
MOVQ 8(DI),CX
|
||||||
|
MOVQ 88(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,0(DI)
|
||||||
|
MOVQ DX,80(DI)
|
||||||
|
MOVQ CX,8(DI)
|
||||||
|
MOVQ R8,88(DI)
|
||||||
|
MOVQ 16(DI),SI
|
||||||
|
MOVQ 96(DI),DX
|
||||||
|
MOVQ 24(DI),CX
|
||||||
|
MOVQ 104(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,16(DI)
|
||||||
|
MOVQ DX,96(DI)
|
||||||
|
MOVQ CX,24(DI)
|
||||||
|
MOVQ R8,104(DI)
|
||||||
|
MOVQ 32(DI),SI
|
||||||
|
MOVQ 112(DI),DX
|
||||||
|
MOVQ 40(DI),CX
|
||||||
|
MOVQ 120(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,32(DI)
|
||||||
|
MOVQ DX,112(DI)
|
||||||
|
MOVQ CX,40(DI)
|
||||||
|
MOVQ R8,120(DI)
|
||||||
|
MOVQ 48(DI),SI
|
||||||
|
MOVQ 128(DI),DX
|
||||||
|
MOVQ 56(DI),CX
|
||||||
|
MOVQ 136(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,48(DI)
|
||||||
|
MOVQ DX,128(DI)
|
||||||
|
MOVQ CX,56(DI)
|
||||||
|
MOVQ R8,136(DI)
|
||||||
|
MOVQ 64(DI),SI
|
||||||
|
MOVQ 144(DI),DX
|
||||||
|
MOVQ 72(DI),CX
|
||||||
|
MOVQ 152(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,64(DI)
|
||||||
|
MOVQ DX,144(DI)
|
||||||
|
MOVQ CX,72(DI)
|
||||||
|
MOVQ R8,152(DI)
|
||||||
|
MOVQ DI,AX
|
||||||
|
MOVQ SI,DX
|
||||||
|
RET
|
@ -0,0 +1,841 @@
|
|||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// We have a implementation in amd64 assembly so this code is only run on
|
||||||
|
// non-amd64 platforms. The amd64 assembly does not support gccgo.
|
||||||
|
// +build !amd64 gccgo appengine
|
||||||
|
|
||||||
|
package curve25519
|
||||||
|
|
||||||
|
// This code is a port of the public domain, "ref10" implementation of
|
||||||
|
// curve25519 from SUPERCOP 20130419 by D. J. Bernstein.
|
||||||
|
|
||||||
|
// fieldElement represents an element of the field GF(2^255 - 19). An element
|
||||||
|
// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
|
||||||
|
// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
|
||||||
|
// context.
|
||||||
|
type fieldElement [10]int32
|
||||||
|
|
||||||
|
func feZero(fe *fieldElement) {
|
||||||
|
for i := range fe {
|
||||||
|
fe[i] = 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func feOne(fe *fieldElement) {
|
||||||
|
feZero(fe)
|
||||||
|
fe[0] = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
func feAdd(dst, a, b *fieldElement) {
|
||||||
|
for i := range dst {
|
||||||
|
dst[i] = a[i] + b[i]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func feSub(dst, a, b *fieldElement) {
|
||||||
|
for i := range dst {
|
||||||
|
dst[i] = a[i] - b[i]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func feCopy(dst, src *fieldElement) {
|
||||||
|
for i := range dst {
|
||||||
|
dst[i] = src[i]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// feCSwap replaces (f,g) with (g,f) if b == 1; replaces (f,g) with (f,g) if b == 0.
|
||||||
|
//
|
||||||
|
// Preconditions: b in {0,1}.
|
||||||
|
func feCSwap(f, g *fieldElement, b int32) {
|
||||||
|
var x fieldElement
|
||||||
|
b = -b
|
||||||
|
for i := range x {
|
||||||
|
x[i] = b & (f[i] ^ g[i])
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := range f {
|
||||||
|
f[i] ^= x[i]
|
||||||
|
}
|
||||||
|
for i := range g {
|
||||||
|
g[i] ^= x[i]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// load3 reads a 24-bit, little-endian value from in.
|
||||||
|
func load3(in []byte) int64 {
|
||||||
|
var r int64
|
||||||
|
r = int64(in[0])
|
||||||
|
r |= int64(in[1]) << 8
|
||||||
|
r |= int64(in[2]) << 16
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
// load4 reads a 32-bit, little-endian value from in.
|
||||||
|
func load4(in []byte) int64 {
|
||||||
|
var r int64
|
||||||
|
r = int64(in[0])
|
||||||
|
r |= int64(in[1]) << 8
|
||||||
|
r |= int64(in[2]) << 16
|
||||||
|
r |= int64(in[3]) << 24
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
func feFromBytes(dst *fieldElement, src *[32]byte) {
|
||||||
|
h0 := load4(src[:])
|
||||||
|
h1 := load3(src[4:]) << 6
|
||||||
|
h2 := load3(src[7:]) << 5
|
||||||
|
h3 := load3(src[10:]) << 3
|
||||||
|
h4 := load3(src[13:]) << 2
|
||||||
|
h5 := load4(src[16:])
|
||||||
|
h6 := load3(src[20:]) << 7
|
||||||
|
h7 := load3(src[23:]) << 5
|
||||||
|
h8 := load3(src[26:]) << 4
|
||||||
|
h9 := load3(src[29:]) << 2
|
||||||
|
|
||||||
|
var carry [10]int64
|
||||||
|
carry[9] = (h9 + 1<<24) >> 25
|
||||||
|
h0 += carry[9] * 19
|
||||||
|
h9 -= carry[9] << 25
|
||||||
|
carry[1] = (h1 + 1<<24) >> 25
|
||||||
|
h2 += carry[1]
|
||||||
|
h1 -= carry[1] << 25
|
||||||
|
carry[3] = (h3 + 1<<24) >> 25
|
||||||
|
h4 += carry[3]
|
||||||
|
h3 -= carry[3] << 25
|
||||||
|
carry[5] = (h5 + 1<<24) >> 25
|
||||||
|
h6 += carry[5]
|
||||||
|
h5 -= carry[5] << 25
|
||||||
|
carry[7] = (h7 + 1<<24) >> 25
|
||||||
|
h8 += carry[7]
|
||||||
|
h7 -= carry[7] << 25
|
||||||
|
|
||||||
|
carry[0] = (h0 + 1<<25) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
carry[2] = (h2 + 1<<25) >> 26
|
||||||
|
h3 += carry[2]
|
||||||
|
h2 -= carry[2] << 26
|
||||||
|
carry[4] = (h4 + 1<<25) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
carry[6] = (h6 + 1<<25) >> 26
|
||||||
|
h7 += carry[6]
|
||||||
|
h6 -= carry[6] << 26
|
||||||
|
carry[8] = (h8 + 1<<25) >> 26
|
||||||
|
h9 += carry[8]
|
||||||
|
h8 -= carry[8] << 26
|
||||||
|
|
||||||
|
dst[0] = int32(h0)
|
||||||
|
dst[1] = int32(h1)
|
||||||
|
dst[2] = int32(h2)
|
||||||
|
dst[3] = int32(h3)
|
||||||
|
dst[4] = int32(h4)
|
||||||
|
dst[5] = int32(h5)
|
||||||
|
dst[6] = int32(h6)
|
||||||
|
dst[7] = int32(h7)
|
||||||
|
dst[8] = int32(h8)
|
||||||
|
dst[9] = int32(h9)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feToBytes marshals h to s.
|
||||||
|
// Preconditions:
|
||||||
|
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|
||||||
|
//
|
||||||
|
// Write p=2^255-19; q=floor(h/p).
|
||||||
|
// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
|
||||||
|
//
|
||||||
|
// Proof:
|
||||||
|
// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
|
||||||
|
// Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
|
||||||
|
//
|
||||||
|
// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
|
||||||
|
// Then 0<y<1.
|
||||||
|
//
|
||||||
|
// Write r=h-pq.
|
||||||
|
// Have 0<=r<=p-1=2^255-20.
|
||||||
|
// Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
|
||||||
|
//
|
||||||
|
// Write x=r+19(2^-255)r+y.
|
||||||
|
// Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
|
||||||
|
//
|
||||||
|
// Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
|
||||||
|
// so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
|
||||||
|
func feToBytes(s *[32]byte, h *fieldElement) {
|
||||||
|
var carry [10]int32
|
||||||
|
|
||||||
|
q := (19*h[9] + (1 << 24)) >> 25
|
||||||
|
q = (h[0] + q) >> 26
|
||||||
|
q = (h[1] + q) >> 25
|
||||||
|
q = (h[2] + q) >> 26
|
||||||
|
q = (h[3] + q) >> 25
|
||||||
|
q = (h[4] + q) >> 26
|
||||||
|
q = (h[5] + q) >> 25
|
||||||
|
q = (h[6] + q) >> 26
|
||||||
|
q = (h[7] + q) >> 25
|
||||||
|
q = (h[8] + q) >> 26
|
||||||
|
q = (h[9] + q) >> 25
|
||||||
|
|
||||||
|
// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
|
||||||
|
h[0] += 19 * q
|
||||||
|
// Goal: Output h-2^255 q, which is between 0 and 2^255-20.
|
||||||
|
|
||||||
|
carry[0] = h[0] >> 26
|
||||||
|
h[1] += carry[0]
|
||||||
|
h[0] -= carry[0] << 26
|
||||||
|
carry[1] = h[1] >> 25
|
||||||
|
h[2] += carry[1]
|
||||||
|
h[1] -= carry[1] << 25
|
||||||
|
carry[2] = h[2] >> 26
|
||||||
|
h[3] += carry[2]
|
||||||
|
h[2] -= carry[2] << 26
|
||||||
|
carry[3] = h[3] >> 25
|
||||||
|
h[4] += carry[3]
|
||||||
|
h[3] -= carry[3] << 25
|
||||||
|
carry[4] = h[4] >> 26
|
||||||
|
h[5] += carry[4]
|
||||||
|
h[4] -= carry[4] << 26
|
||||||
|
carry[5] = h[5] >> 25
|
||||||
|
h[6] += carry[5]
|
||||||
|
h[5] -= carry[5] << 25
|
||||||
|
carry[6] = h[6] >> 26
|
||||||
|
h[7] += carry[6]
|
||||||
|
h[6] -= carry[6] << 26
|
||||||
|
carry[7] = h[7] >> 25
|
||||||
|
h[8] += carry[7]
|
||||||
|
h[7] -= carry[7] << 25
|
||||||
|
carry[8] = h[8] >> 26
|
||||||
|
h[9] += carry[8]
|
||||||
|
h[8] -= carry[8] << 26
|
||||||
|
carry[9] = h[9] >> 25
|
||||||
|
h[9] -= carry[9] << 25
|
||||||
|
// h10 = carry9
|
||||||
|
|
||||||
|
// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
|
||||||
|
// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
|
||||||
|
// evidently 2^255 h10-2^255 q = 0.
|
||||||
|
// Goal: Output h[0]+...+2^230 h[9].
|
||||||
|
|
||||||
|
s[0] = byte(h[0] >> 0)
|
||||||
|
s[1] = byte(h[0] >> 8)
|
||||||
|
s[2] = byte(h[0] >> 16)
|
||||||
|
s[3] = byte((h[0] >> 24) | (h[1] << 2))
|
||||||
|
s[4] = byte(h[1] >> 6)
|
||||||
|
s[5] = byte(h[1] >> 14)
|
||||||
|
s[6] = byte((h[1] >> 22) | (h[2] << 3))
|
||||||
|
s[7] = byte(h[2] >> 5)
|
||||||
|
s[8] = byte(h[2] >> 13)
|
||||||
|
s[9] = byte((h[2] >> 21) | (h[3] << 5))
|
||||||
|
s[10] = byte(h[3] >> 3)
|
||||||
|
s[11] = byte(h[3] >> 11)
|
||||||
|
s[12] = byte((h[3] >> 19) | (h[4] << 6))
|
||||||
|
s[13] = byte(h[4] >> 2)
|
||||||
|
s[14] = byte(h[4] >> 10)
|
||||||
|
s[15] = byte(h[4] >> 18)
|
||||||
|
s[16] = byte(h[5] >> 0)
|
||||||
|
s[17] = byte(h[5] >> 8)
|
||||||
|
s[18] = byte(h[5] >> 16)
|
||||||
|
s[19] = byte((h[5] >> 24) | (h[6] << 1))
|
||||||
|
s[20] = byte(h[6] >> 7)
|
||||||
|
s[21] = byte(h[6] >> 15)
|
||||||
|
s[22] = byte((h[6] >> 23) | (h[7] << 3))
|
||||||
|
s[23] = byte(h[7] >> 5)
|
||||||
|
s[24] = byte(h[7] >> 13)
|
||||||
|
s[25] = byte((h[7] >> 21) | (h[8] << 4))
|
||||||
|
s[26] = byte(h[8] >> 4)
|
||||||
|
s[27] = byte(h[8] >> 12)
|
||||||
|
s[28] = byte((h[8] >> 20) | (h[9] << 6))
|
||||||
|
s[29] = byte(h[9] >> 2)
|
||||||
|
s[30] = byte(h[9] >> 10)
|
||||||
|
s[31] = byte(h[9] >> 18)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feMul calculates h = f * g
|
||||||
|
// Can overlap h with f or g.
|
||||||
|
//
|
||||||
|
// Preconditions:
|
||||||
|
// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|
||||||
|
// |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|
||||||
|
//
|
||||||
|
// Postconditions:
|
||||||
|
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|
||||||
|
//
|
||||||
|
// Notes on implementation strategy:
|
||||||
|
//
|
||||||
|
// Using schoolbook multiplication.
|
||||||
|
// Karatsuba would save a little in some cost models.
|
||||||
|
//
|
||||||
|
// Most multiplications by 2 and 19 are 32-bit precomputations;
|
||||||
|
// cheaper than 64-bit postcomputations.
|
||||||
|
//
|
||||||
|
// There is one remaining multiplication by 19 in the carry chain;
|
||||||
|
// one *19 precomputation can be merged into this,
|
||||||
|
// but the resulting data flow is considerably less clean.
|
||||||
|
//
|
||||||
|
// There are 12 carries below.
|
||||||
|
// 10 of them are 2-way parallelizable and vectorizable.
|
||||||
|
// Can get away with 11 carries, but then data flow is much deeper.
|
||||||
|
//
|
||||||
|
// With tighter constraints on inputs can squeeze carries into int32.
|
||||||
|
func feMul(h, f, g *fieldElement) {
|
||||||
|
f0 := f[0]
|
||||||
|
f1 := f[1]
|
||||||
|
f2 := f[2]
|
||||||
|
f3 := f[3]
|
||||||
|
f4 := f[4]
|
||||||
|
f5 := f[5]
|
||||||
|
f6 := f[6]
|
||||||
|
f7 := f[7]
|
||||||
|
f8 := f[8]
|
||||||
|
f9 := f[9]
|
||||||
|
g0 := g[0]
|
||||||
|
g1 := g[1]
|
||||||
|
g2 := g[2]
|
||||||
|
g3 := g[3]
|
||||||
|
g4 := g[4]
|
||||||
|
g5 := g[5]
|
||||||
|
g6 := g[6]
|
||||||
|
g7 := g[7]
|
||||||
|
g8 := g[8]
|
||||||
|
g9 := g[9]
|
||||||
|
g1_19 := 19 * g1 // 1.4*2^29
|
||||||
|
g2_19 := 19 * g2 // 1.4*2^30; still ok
|
||||||
|
g3_19 := 19 * g3
|
||||||
|
g4_19 := 19 * g4
|
||||||
|
g5_19 := 19 * g5
|
||||||
|
g6_19 := 19 * g6
|
||||||
|
g7_19 := 19 * g7
|
||||||
|
g8_19 := 19 * g8
|
||||||
|
g9_19 := 19 * g9
|
||||||
|
f1_2 := 2 * f1
|
||||||
|
f3_2 := 2 * f3
|
||||||
|
f5_2 := 2 * f5
|
||||||
|
f7_2 := 2 * f7
|
||||||
|
f9_2 := 2 * f9
|
||||||
|
f0g0 := int64(f0) * int64(g0)
|
||||||
|
f0g1 := int64(f0) * int64(g1)
|
||||||
|
f0g2 := int64(f0) * int64(g2)
|
||||||
|
f0g3 := int64(f0) * int64(g3)
|
||||||
|
f0g4 := int64(f0) * int64(g4)
|
||||||
|
f0g5 := int64(f0) * int64(g5)
|
||||||
|
f0g6 := int64(f0) * int64(g6)
|
||||||
|
f0g7 := int64(f0) * int64(g7)
|
||||||
|
f0g8 := int64(f0) * int64(g8)
|
||||||
|
f0g9 := int64(f0) * int64(g9)
|
||||||
|
f1g0 := int64(f1) * int64(g0)
|
||||||
|
f1g1_2 := int64(f1_2) * int64(g1)
|
||||||
|
f1g2 := int64(f1) * int64(g2)
|
||||||
|
f1g3_2 := int64(f1_2) * int64(g3)
|
||||||
|
f1g4 := int64(f1) * int64(g4)
|
||||||
|
f1g5_2 := int64(f1_2) * int64(g5)
|
||||||
|
f1g6 := int64(f1) * int64(g6)
|
||||||
|
f1g7_2 := int64(f1_2) * int64(g7)
|
||||||
|
f1g8 := int64(f1) * int64(g8)
|
||||||
|
f1g9_38 := int64(f1_2) * int64(g9_19)
|
||||||
|
f2g0 := int64(f2) * int64(g0)
|
||||||
|
f2g1 := int64(f2) * int64(g1)
|
||||||
|
f2g2 := int64(f2) * int64(g2)
|
||||||
|
f2g3 := int64(f2) * int64(g3)
|
||||||
|
f2g4 := int64(f2) * int64(g4)
|
||||||
|
f2g5 := int64(f2) * int64(g5)
|
||||||
|
f2g6 := int64(f2) * int64(g6)
|
||||||
|
f2g7 := int64(f2) * int64(g7)
|
||||||
|
f2g8_19 := int64(f2) * int64(g8_19)
|
||||||
|
f2g9_19 := int64(f2) * int64(g9_19)
|
||||||
|
f3g0 := int64(f3) * int64(g0)
|
||||||
|
f3g1_2 := int64(f3_2) * int64(g1)
|
||||||
|
f3g2 := int64(f3) * int64(g2)
|
||||||
|
f3g3_2 := int64(f3_2) * int64(g3)
|
||||||
|
f3g4 := int64(f3) * int64(g4)
|
||||||
|
f3g5_2 := int64(f3_2) * int64(g5)
|
||||||
|
f3g6 := int64(f3) * int64(g6)
|
||||||
|
f3g7_38 := int64(f3_2) * int64(g7_19)
|
||||||
|
f3g8_19 := int64(f3) * int64(g8_19)
|
||||||
|
f3g9_38 := int64(f3_2) * int64(g9_19)
|
||||||
|
f4g0 := int64(f4) * int64(g0)
|
||||||
|
f4g1 := int64(f4) * int64(g1)
|
||||||
|
f4g2 := int64(f4) * int64(g2)
|
||||||
|
f4g3 := int64(f4) * int64(g3)
|
||||||
|
f4g4 := int64(f4) * int64(g4)
|
||||||
|
f4g5 := int64(f4) * int64(g5)
|
||||||
|
f4g6_19 := int64(f4) * int64(g6_19)
|
||||||
|
f4g7_19 := int64(f4) * int64(g7_19)
|
||||||
|
f4g8_19 := int64(f4) * int64(g8_19)
|
||||||
|
f4g9_19 := int64(f4) * int64(g9_19)
|
||||||
|
f5g0 := int64(f5) * int64(g0)
|
||||||
|
f5g1_2 := int64(f5_2) * int64(g1)
|
||||||
|
f5g2 := int64(f5) * int64(g2)
|
||||||
|
f5g3_2 := int64(f5_2) * int64(g3)
|
||||||
|
f5g4 := int64(f5) * int64(g4)
|
||||||
|
f5g5_38 := int64(f5_2) * int64(g5_19)
|
||||||
|
f5g6_19 := int64(f5) * int64(g6_19)
|
||||||
|
f5g7_38 := int64(f5_2) * int64(g7_19)
|
||||||
|
f5g8_19 := int64(f5) * int64(g8_19)
|
||||||
|
f5g9_38 := int64(f5_2) * int64(g9_19)
|
||||||
|
f6g0 := int64(f6) * int64(g0)
|
||||||
|
f6g1 := int64(f6) * int64(g1)
|
||||||
|
f6g2 := int64(f6) * int64(g2)
|
||||||
|
f6g3 := int64(f6) * int64(g3)
|
||||||
|
f6g4_19 := int64(f6) * int64(g4_19)
|
||||||
|
f6g5_19 := int64(f6) * int64(g5_19)
|
||||||
|
f6g6_19 := int64(f6) * int64(g6_19)
|
||||||
|
f6g7_19 := int64(f6) * int64(g7_19)
|
||||||
|
f6g8_19 := int64(f6) * int64(g8_19)
|
||||||
|
f6g9_19 := int64(f6) * int64(g9_19)
|
||||||
|
f7g0 := int64(f7) * int64(g0)
|
||||||
|
f7g1_2 := int64(f7_2) * int64(g1)
|
||||||
|
f7g2 := int64(f7) * int64(g2)
|
||||||
|
f7g3_38 := int64(f7_2) * int64(g3_19)
|
||||||
|
f7g4_19 := int64(f7) * int64(g4_19)
|
||||||
|
f7g5_38 := int64(f7_2) * int64(g5_19)
|
||||||
|
f7g6_19 := int64(f7) * int64(g6_19)
|
||||||
|
f7g7_38 := int64(f7_2) * int64(g7_19)
|
||||||
|
f7g8_19 := int64(f7) * int64(g8_19)
|
||||||
|
f7g9_38 := int64(f7_2) * int64(g9_19)
|
||||||
|
f8g0 := int64(f8) * int64(g0)
|
||||||
|
f8g1 := int64(f8) * int64(g1)
|
||||||
|
f8g2_19 := int64(f8) * int64(g2_19)
|
||||||
|
f8g3_19 := int64(f8) * int64(g3_19)
|
||||||
|
f8g4_19 := int64(f8) * int64(g4_19)
|
||||||
|
f8g5_19 := int64(f8) * int64(g5_19)
|
||||||
|
f8g6_19 := int64(f8) * int64(g6_19)
|
||||||
|
f8g7_19 := int64(f8) * int64(g7_19)
|
||||||
|
f8g8_19 := int64(f8) * int64(g8_19)
|
||||||
|
f8g9_19 := int64(f8) * int64(g9_19)
|
||||||
|
f9g0 := int64(f9) * int64(g0)
|
||||||
|
f9g1_38 := int64(f9_2) * int64(g1_19)
|
||||||
|
f9g2_19 := int64(f9) * int64(g2_19)
|
||||||
|
f9g3_38 := int64(f9_2) * int64(g3_19)
|
||||||
|
f9g4_19 := int64(f9) * int64(g4_19)
|
||||||
|
f9g5_38 := int64(f9_2) * int64(g5_19)
|
||||||
|
f9g6_19 := int64(f9) * int64(g6_19)
|
||||||
|
f9g7_38 := int64(f9_2) * int64(g7_19)
|
||||||
|
f9g8_19 := int64(f9) * int64(g8_19)
|
||||||
|
f9g9_38 := int64(f9_2) * int64(g9_19)
|
||||||
|
h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38
|
||||||
|
h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19
|
||||||
|
h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38
|
||||||
|
h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19
|
||||||
|
h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38
|
||||||
|
h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19
|
||||||
|
h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38
|
||||||
|
h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19
|
||||||
|
h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38
|
||||||
|
h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0
|
||||||
|
var carry [10]int64
|
||||||
|
|
||||||
|
// |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
|
||||||
|
// i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
|
||||||
|
// |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
|
||||||
|
// i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
// |h0| <= 2^25
|
||||||
|
// |h4| <= 2^25
|
||||||
|
// |h1| <= 1.51*2^58
|
||||||
|
// |h5| <= 1.51*2^58
|
||||||
|
|
||||||
|
carry[1] = (h1 + (1 << 24)) >> 25
|
||||||
|
h2 += carry[1]
|
||||||
|
h1 -= carry[1] << 25
|
||||||
|
carry[5] = (h5 + (1 << 24)) >> 25
|
||||||
|
h6 += carry[5]
|
||||||
|
h5 -= carry[5] << 25
|
||||||
|
// |h1| <= 2^24; from now on fits into int32
|
||||||
|
// |h5| <= 2^24; from now on fits into int32
|
||||||
|
// |h2| <= 1.21*2^59
|
||||||
|
// |h6| <= 1.21*2^59
|
||||||
|
|
||||||
|
carry[2] = (h2 + (1 << 25)) >> 26
|
||||||
|
h3 += carry[2]
|
||||||
|
h2 -= carry[2] << 26
|
||||||
|
carry[6] = (h6 + (1 << 25)) >> 26
|
||||||
|
h7 += carry[6]
|
||||||
|
h6 -= carry[6] << 26
|
||||||
|
// |h2| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h6| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h3| <= 1.51*2^58
|
||||||
|
// |h7| <= 1.51*2^58
|
||||||
|
|
||||||
|
carry[3] = (h3 + (1 << 24)) >> 25
|
||||||
|
h4 += carry[3]
|
||||||
|
h3 -= carry[3] << 25
|
||||||
|
carry[7] = (h7 + (1 << 24)) >> 25
|
||||||
|
h8 += carry[7]
|
||||||
|
h7 -= carry[7] << 25
|
||||||
|
// |h3| <= 2^24; from now on fits into int32 unchanged
|
||||||
|
// |h7| <= 2^24; from now on fits into int32 unchanged
|
||||||
|
// |h4| <= 1.52*2^33
|
||||||
|
// |h8| <= 1.52*2^33
|
||||||
|
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
carry[8] = (h8 + (1 << 25)) >> 26
|
||||||
|
h9 += carry[8]
|
||||||
|
h8 -= carry[8] << 26
|
||||||
|
// |h4| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h8| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h5| <= 1.01*2^24
|
||||||
|
// |h9| <= 1.51*2^58
|
||||||
|
|
||||||
|
carry[9] = (h9 + (1 << 24)) >> 25
|
||||||
|
h0 += carry[9] * 19
|
||||||
|
h9 -= carry[9] << 25
|
||||||
|
// |h9| <= 2^24; from now on fits into int32 unchanged
|
||||||
|
// |h0| <= 1.8*2^37
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
// |h0| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h1| <= 1.01*2^24
|
||||||
|
|
||||||
|
h[0] = int32(h0)
|
||||||
|
h[1] = int32(h1)
|
||||||
|
h[2] = int32(h2)
|
||||||
|
h[3] = int32(h3)
|
||||||
|
h[4] = int32(h4)
|
||||||
|
h[5] = int32(h5)
|
||||||
|
h[6] = int32(h6)
|
||||||
|
h[7] = int32(h7)
|
||||||
|
h[8] = int32(h8)
|
||||||
|
h[9] = int32(h9)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feSquare calculates h = f*f. Can overlap h with f.
|
||||||
|
//
|
||||||
|
// Preconditions:
|
||||||
|
// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|
||||||
|
//
|
||||||
|
// Postconditions:
|
||||||
|
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|
||||||
|
func feSquare(h, f *fieldElement) {
|
||||||
|
f0 := f[0]
|
||||||
|
f1 := f[1]
|
||||||
|
f2 := f[2]
|
||||||
|
f3 := f[3]
|
||||||
|
f4 := f[4]
|
||||||
|
f5 := f[5]
|
||||||
|
f6 := f[6]
|
||||||
|
f7 := f[7]
|
||||||
|
f8 := f[8]
|
||||||
|
f9 := f[9]
|
||||||
|
f0_2 := 2 * f0
|
||||||
|
f1_2 := 2 * f1
|
||||||
|
f2_2 := 2 * f2
|
||||||
|
f3_2 := 2 * f3
|
||||||
|
f4_2 := 2 * f4
|
||||||
|
f5_2 := 2 * f5
|
||||||
|
f6_2 := 2 * f6
|
||||||
|
f7_2 := 2 * f7
|
||||||
|
f5_38 := 38 * f5 // 1.31*2^30
|
||||||
|
f6_19 := 19 * f6 // 1.31*2^30
|
||||||
|
f7_38 := 38 * f7 // 1.31*2^30
|
||||||
|
f8_19 := 19 * f8 // 1.31*2^30
|
||||||
|
f9_38 := 38 * f9 // 1.31*2^30
|
||||||
|
f0f0 := int64(f0) * int64(f0)
|
||||||
|
f0f1_2 := int64(f0_2) * int64(f1)
|
||||||
|
f0f2_2 := int64(f0_2) * int64(f2)
|
||||||
|
f0f3_2 := int64(f0_2) * int64(f3)
|
||||||
|
f0f4_2 := int64(f0_2) * int64(f4)
|
||||||
|
f0f5_2 := int64(f0_2) * int64(f5)
|
||||||
|
f0f6_2 := int64(f0_2) * int64(f6)
|
||||||
|
f0f7_2 := int64(f0_2) * int64(f7)
|
||||||
|
f0f8_2 := int64(f0_2) * int64(f8)
|
||||||
|
f0f9_2 := int64(f0_2) * int64(f9)
|
||||||
|
f1f1_2 := int64(f1_2) * int64(f1)
|
||||||
|
f1f2_2 := int64(f1_2) * int64(f2)
|
||||||
|
f1f3_4 := int64(f1_2) * int64(f3_2)
|
||||||
|
f1f4_2 := int64(f1_2) * int64(f4)
|
||||||
|
f1f5_4 := int64(f1_2) * int64(f5_2)
|
||||||
|
f1f6_2 := int64(f1_2) * int64(f6)
|
||||||
|
f1f7_4 := int64(f1_2) * int64(f7_2)
|
||||||
|
f1f8_2 := int64(f1_2) * int64(f8)
|
||||||
|
f1f9_76 := int64(f1_2) * int64(f9_38)
|
||||||
|
f2f2 := int64(f2) * int64(f2)
|
||||||
|
f2f3_2 := int64(f2_2) * int64(f3)
|
||||||
|
f2f4_2 := int64(f2_2) * int64(f4)
|
||||||
|
f2f5_2 := int64(f2_2) * int64(f5)
|
||||||
|
f2f6_2 := int64(f2_2) * int64(f6)
|
||||||
|
f2f7_2 := int64(f2_2) * int64(f7)
|
||||||
|
f2f8_38 := int64(f2_2) * int64(f8_19)
|
||||||
|
f2f9_38 := int64(f2) * int64(f9_38)
|
||||||
|
f3f3_2 := int64(f3_2) * int64(f3)
|
||||||
|
f3f4_2 := int64(f3_2) * int64(f4)
|
||||||
|
f3f5_4 := int64(f3_2) * int64(f5_2)
|
||||||
|
f3f6_2 := int64(f3_2) * int64(f6)
|
||||||
|
f3f7_76 := int64(f3_2) * int64(f7_38)
|
||||||
|
f3f8_38 := int64(f3_2) * int64(f8_19)
|
||||||
|
f3f9_76 := int64(f3_2) * int64(f9_38)
|
||||||
|
f4f4 := int64(f4) * int64(f4)
|
||||||
|
f4f5_2 := int64(f4_2) * int64(f5)
|
||||||
|
f4f6_38 := int64(f4_2) * int64(f6_19)
|
||||||
|
f4f7_38 := int64(f4) * int64(f7_38)
|
||||||
|
f4f8_38 := int64(f4_2) * int64(f8_19)
|
||||||
|
f4f9_38 := int64(f4) * int64(f9_38)
|
||||||
|
f5f5_38 := int64(f5) * int64(f5_38)
|
||||||
|
f5f6_38 := int64(f5_2) * int64(f6_19)
|
||||||
|
f5f7_76 := int64(f5_2) * int64(f7_38)
|
||||||
|
f5f8_38 := int64(f5_2) * int64(f8_19)
|
||||||
|
f5f9_76 := int64(f5_2) * int64(f9_38)
|
||||||
|
f6f6_19 := int64(f6) * int64(f6_19)
|
||||||
|
f6f7_38 := int64(f6) * int64(f7_38)
|
||||||
|
f6f8_38 := int64(f6_2) * int64(f8_19)
|
||||||
|
f6f9_38 := int64(f6) * int64(f9_38)
|
||||||
|
f7f7_38 := int64(f7) * int64(f7_38)
|
||||||
|
f7f8_38 := int64(f7_2) * int64(f8_19)
|
||||||
|
f7f9_76 := int64(f7_2) * int64(f9_38)
|
||||||
|
f8f8_19 := int64(f8) * int64(f8_19)
|
||||||
|
f8f9_38 := int64(f8) * int64(f9_38)
|
||||||
|
f9f9_38 := int64(f9) * int64(f9_38)
|
||||||
|
h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
|
||||||
|
h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
|
||||||
|
h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
|
||||||
|
h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
|
||||||
|
h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
|
||||||
|
h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
|
||||||
|
h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
|
||||||
|
h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
|
||||||
|
h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
|
||||||
|
h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
|
||||||
|
var carry [10]int64
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
|
||||||
|
carry[1] = (h1 + (1 << 24)) >> 25
|
||||||
|
h2 += carry[1]
|
||||||
|
h1 -= carry[1] << 25
|
||||||
|
carry[5] = (h5 + (1 << 24)) >> 25
|
||||||
|
h6 += carry[5]
|
||||||
|
h5 -= carry[5] << 25
|
||||||
|
|
||||||
|
carry[2] = (h2 + (1 << 25)) >> 26
|
||||||
|
h3 += carry[2]
|
||||||
|
h2 -= carry[2] << 26
|
||||||
|
carry[6] = (h6 + (1 << 25)) >> 26
|
||||||
|
h7 += carry[6]
|
||||||
|
h6 -= carry[6] << 26
|
||||||
|
|
||||||
|
carry[3] = (h3 + (1 << 24)) >> 25
|
||||||
|
h4 += carry[3]
|
||||||
|
h3 -= carry[3] << 25
|
||||||
|
carry[7] = (h7 + (1 << 24)) >> 25
|
||||||
|
h8 += carry[7]
|
||||||
|
h7 -= carry[7] << 25
|
||||||
|
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
carry[8] = (h8 + (1 << 25)) >> 26
|
||||||
|
h9 += carry[8]
|
||||||
|
h8 -= carry[8] << 26
|
||||||
|
|
||||||
|
carry[9] = (h9 + (1 << 24)) >> 25
|
||||||
|
h0 += carry[9] * 19
|
||||||
|
h9 -= carry[9] << 25
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
|
||||||
|
h[0] = int32(h0)
|
||||||
|
h[1] = int32(h1)
|
||||||
|
h[2] = int32(h2)
|
||||||
|
h[3] = int32(h3)
|
||||||
|
h[4] = int32(h4)
|
||||||
|
h[5] = int32(h5)
|
||||||
|
h[6] = int32(h6)
|
||||||
|
h[7] = int32(h7)
|
||||||
|
h[8] = int32(h8)
|
||||||
|
h[9] = int32(h9)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feMul121666 calculates h = f * 121666. Can overlap h with f.
|
||||||
|
//
|
||||||
|
// Preconditions:
|
||||||
|
// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|
||||||
|
//
|
||||||
|
// Postconditions:
|
||||||
|
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|
||||||
|
func feMul121666(h, f *fieldElement) {
|
||||||
|
h0 := int64(f[0]) * 121666
|
||||||
|
h1 := int64(f[1]) * 121666
|
||||||
|
h2 := int64(f[2]) * 121666
|
||||||
|
h3 := int64(f[3]) * 121666
|
||||||
|
h4 := int64(f[4]) * 121666
|
||||||
|
h5 := int64(f[5]) * 121666
|
||||||
|
h6 := int64(f[6]) * 121666
|
||||||
|
h7 := int64(f[7]) * 121666
|
||||||
|
h8 := int64(f[8]) * 121666
|
||||||
|
h9 := int64(f[9]) * 121666
|
||||||
|
var carry [10]int64
|
||||||
|
|
||||||
|
carry[9] = (h9 + (1 << 24)) >> 25
|
||||||
|
h0 += carry[9] * 19
|
||||||
|
h9 -= carry[9] << 25
|
||||||
|
carry[1] = (h1 + (1 << 24)) >> 25
|
||||||
|
h2 += carry[1]
|
||||||
|
h1 -= carry[1] << 25
|
||||||
|
carry[3] = (h3 + (1 << 24)) >> 25
|
||||||
|
h4 += carry[3]
|
||||||
|
h3 -= carry[3] << 25
|
||||||
|
carry[5] = (h5 + (1 << 24)) >> 25
|
||||||
|
h6 += carry[5]
|
||||||
|
h5 -= carry[5] << 25
|
||||||
|
carry[7] = (h7 + (1 << 24)) >> 25
|
||||||
|
h8 += carry[7]
|
||||||
|
h7 -= carry[7] << 25
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
carry[2] = (h2 + (1 << 25)) >> 26
|
||||||
|
h3 += carry[2]
|
||||||
|
h2 -= carry[2] << 26
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
carry[6] = (h6 + (1 << 25)) >> 26
|
||||||
|
h7 += carry[6]
|
||||||
|
h6 -= carry[6] << 26
|
||||||
|
carry[8] = (h8 + (1 << 25)) >> 26
|
||||||
|
h9 += carry[8]
|
||||||
|
h8 -= carry[8] << 26
|
||||||
|
|
||||||
|
h[0] = int32(h0)
|
||||||
|
h[1] = int32(h1)
|
||||||
|
h[2] = int32(h2)
|
||||||
|
h[3] = int32(h3)
|
||||||
|
h[4] = int32(h4)
|
||||||
|
h[5] = int32(h5)
|
||||||
|
h[6] = int32(h6)
|
||||||
|
h[7] = int32(h7)
|
||||||
|
h[8] = int32(h8)
|
||||||
|
h[9] = int32(h9)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feInvert sets out = z^-1.
|
||||||
|
func feInvert(out, z *fieldElement) {
|
||||||
|
var t0, t1, t2, t3 fieldElement
|
||||||
|
var i int
|
||||||
|
|
||||||
|
feSquare(&t0, z)
|
||||||
|
for i = 1; i < 1; i++ {
|
||||||
|
feSquare(&t0, &t0)
|
||||||
|
}
|
||||||
|
feSquare(&t1, &t0)
|
||||||
|
for i = 1; i < 2; i++ {
|
||||||
|
feSquare(&t1, &t1)
|
||||||
|
}
|
||||||
|
feMul(&t1, z, &t1)
|
||||||
|
feMul(&t0, &t0, &t1)
|
||||||
|
feSquare(&t2, &t0)
|
||||||
|
for i = 1; i < 1; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t1, &t1, &t2)
|
||||||
|
feSquare(&t2, &t1)
|
||||||
|
for i = 1; i < 5; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t1, &t2, &t1)
|
||||||
|
feSquare(&t2, &t1)
|
||||||
|
for i = 1; i < 10; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t2, &t2, &t1)
|
||||||
|
feSquare(&t3, &t2)
|
||||||
|
for i = 1; i < 20; i++ {
|
||||||
|
feSquare(&t3, &t3)
|
||||||
|
}
|
||||||
|
feMul(&t2, &t3, &t2)
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
for i = 1; i < 10; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t1, &t2, &t1)
|
||||||
|
feSquare(&t2, &t1)
|
||||||
|
for i = 1; i < 50; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t2, &t2, &t1)
|
||||||
|
feSquare(&t3, &t2)
|
||||||
|
for i = 1; i < 100; i++ {
|
||||||
|
feSquare(&t3, &t3)
|
||||||
|
}
|
||||||
|
feMul(&t2, &t3, &t2)
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
for i = 1; i < 50; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t1, &t2, &t1)
|
||||||
|
feSquare(&t1, &t1)
|
||||||
|
for i = 1; i < 5; i++ {
|
||||||
|
feSquare(&t1, &t1)
|
||||||
|
}
|
||||||
|
feMul(out, &t1, &t0)
|
||||||
|
}
|
||||||
|
|
||||||
|
func scalarMult(out, in, base *[32]byte) {
|
||||||
|
var e [32]byte
|
||||||
|
|
||||||
|
copy(e[:], in[:])
|
||||||
|
e[0] &= 248
|
||||||
|
e[31] &= 127
|
||||||
|
e[31] |= 64
|
||||||
|
|
||||||
|
var x1, x2, z2, x3, z3, tmp0, tmp1 fieldElement
|
||||||
|
feFromBytes(&x1, base)
|
||||||
|
feOne(&x2)
|
||||||
|
feCopy(&x3, &x1)
|
||||||
|
feOne(&z3)
|
||||||
|
|
||||||
|
swap := int32(0)
|
||||||
|
for pos := 254; pos >= 0; pos-- {
|
||||||
|
b := e[pos/8] >> uint(pos&7)
|
||||||
|
b &= 1
|
||||||
|
swap ^= int32(b)
|
||||||
|
feCSwap(&x2, &x3, swap)
|
||||||
|
feCSwap(&z2, &z3, swap)
|
||||||
|
swap = int32(b)
|
||||||
|
|
||||||
|
feSub(&tmp0, &x3, &z3)
|
||||||
|
feSub(&tmp1, &x2, &z2)
|
||||||
|
feAdd(&x2, &x2, &z2)
|
||||||
|
feAdd(&z2, &x3, &z3)
|
||||||
|
feMul(&z3, &tmp0, &x2)
|
||||||
|
feMul(&z2, &z2, &tmp1)
|
||||||
|
feSquare(&tmp0, &tmp1)
|
||||||
|
feSquare(&tmp1, &x2)
|
||||||
|
feAdd(&x3, &z3, &z2)
|
||||||
|
feSub(&z2, &z3, &z2)
|
||||||
|
feMul(&x2, &tmp1, &tmp0)
|
||||||
|
feSub(&tmp1, &tmp1, &tmp0)
|
||||||
|
feSquare(&z2, &z2)
|
||||||
|
feMul121666(&z3, &tmp1)
|
||||||
|
feSquare(&x3, &x3)
|
||||||
|
feAdd(&tmp0, &tmp0, &z3)
|
||||||
|
feMul(&z3, &x1, &z2)
|
||||||
|
feMul(&z2, &tmp1, &tmp0)
|
||||||
|
}
|
||||||
|
|
||||||
|
feCSwap(&x2, &x3, swap)
|
||||||
|
feCSwap(&z2, &z3, swap)
|
||||||
|
|
||||||
|
feInvert(&z2, &z2)
|
||||||
|
feMul(&x2, &x2, &z2)
|
||||||
|
feToBytes(out, &x2)
|
||||||
|
}
|
@ -0,0 +1,113 @@
|
|||||||
|
package curve25519
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/elliptic"
|
||||||
|
"math/big"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
var cv25519 cv25519Curve
|
||||||
|
|
||||||
|
type cv25519Curve struct {
|
||||||
|
*elliptic.CurveParams
|
||||||
|
}
|
||||||
|
|
||||||
|
func copyReverse(dst []byte, src []byte) {
|
||||||
|
// Curve 25519 multiplication functions expect scalars in reverse
|
||||||
|
// order than PGP. To keep the curve25519Curve type consistent
|
||||||
|
// with other curves, we reverse it here.
|
||||||
|
for i, j := 0, len(src)-1; j >= 0; i, j = i+1, j-1 {
|
||||||
|
dst[i] = src[j]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cv25519Curve) ScalarMult(x1, y1 *big.Int, scalar []byte) (x, y *big.Int) {
|
||||||
|
// Assume y1 is 0 with cv25519.
|
||||||
|
var dst [32]byte
|
||||||
|
var x1Bytes [32]byte
|
||||||
|
var scalarBytes [32]byte
|
||||||
|
|
||||||
|
copy(x1Bytes[:], x1.Bytes()[:32])
|
||||||
|
copyReverse(scalarBytes[:], scalar[:32])
|
||||||
|
|
||||||
|
scalarMult(&dst, &scalarBytes, &x1Bytes)
|
||||||
|
|
||||||
|
x = new(big.Int).SetBytes(dst[:])
|
||||||
|
y = new(big.Int)
|
||||||
|
return x, y
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cv25519Curve) ScalarBaseMult(scalar []byte) (x, y *big.Int) {
|
||||||
|
var dst [32]byte
|
||||||
|
var scalarBytes [32]byte
|
||||||
|
copyReverse(scalarBytes[:], scalar[:32])
|
||||||
|
scalarMult(&dst, &scalarBytes, &basePoint)
|
||||||
|
x = new(big.Int).SetBytes(dst[:])
|
||||||
|
y = new(big.Int)
|
||||||
|
return x, y
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cv25519Curve) IsOnCurve(bigX, bigY *big.Int) bool {
|
||||||
|
return bigY.Sign() == 0 // bigY == 0 ?
|
||||||
|
}
|
||||||
|
|
||||||
|
// More information about 0x40 point format:
|
||||||
|
// https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-00#section-3
|
||||||
|
// In addition to uncompressed point format described here:
|
||||||
|
// https://tools.ietf.org/html/rfc6637#section-6
|
||||||
|
|
||||||
|
func (cv25519Curve) MarshalType40(x, y *big.Int) []byte {
|
||||||
|
byteLen := 32
|
||||||
|
|
||||||
|
ret := make([]byte, 1+byteLen)
|
||||||
|
ret[0] = 0x40
|
||||||
|
|
||||||
|
xBytes := x.Bytes()
|
||||||
|
copy(ret[1+byteLen-len(xBytes):], xBytes)
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cv25519Curve) UnmarshalType40(data []byte) (x, y *big.Int) {
|
||||||
|
if len(data) != 1+32 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
if data[0] != 0x40 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
x = new(big.Int).SetBytes(data[1:])
|
||||||
|
// Any x is a valid curve point.
|
||||||
|
return x, new(big.Int)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ToCurve25519 casts given elliptic.Curve type to Curve25519 type, or
|
||||||
|
// returns nil, false if cast was unsuccessful.
|
||||||
|
func ToCurve25519(cv elliptic.Curve) (cv25519Curve, bool) {
|
||||||
|
cv2, ok := cv.(cv25519Curve)
|
||||||
|
return cv2, ok
|
||||||
|
}
|
||||||
|
|
||||||
|
func initCv25519() {
|
||||||
|
cv25519.CurveParams = &elliptic.CurveParams{Name: "Curve 25519"}
|
||||||
|
// Some code relies on these parameters being available for
|
||||||
|
// checking Curve coordinate length. They should not be used
|
||||||
|
// directly for any calculations.
|
||||||
|
cv25519.P, _ = new (big.Int).SetString("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed", 16)
|
||||||
|
cv25519.N, _ = new (big.Int).SetString("1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed", 16)
|
||||||
|
cv25519.Gx, _ = new (big.Int).SetString("9", 16)
|
||||||
|
cv25519.Gy, _ = new (big.Int).SetString("20ae19a1b8a086b4e01edd2c7748d14c923d4d7e6d7c61b229e9c5a27eced3d9", 16)
|
||||||
|
cv25519.BitSize = 256
|
||||||
|
}
|
||||||
|
|
||||||
|
var initonce sync.Once
|
||||||
|
|
||||||
|
// Cv25519 returns a Curve which (partially) implements Cv25519. Only
|
||||||
|
// ScalarMult and ScalarBaseMult are valid for this curve. Add and
|
||||||
|
// Double should not be used.
|
||||||
|
func Cv25519() elliptic.Curve {
|
||||||
|
initonce.Do(initCv25519)
|
||||||
|
return cv25519
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve cv25519Curve) Params() *elliptic.CurveParams {
|
||||||
|
return curve.CurveParams
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package curve25519 provides an implementation of scalar multiplication on
|
||||||
|
// the elliptic curve known as curve25519. See http://cr.yp.to/ecdh.html
|
||||||
|
package curve25519
|
||||||
|
|
||||||
|
// basePoint is the x coordinate of the generator of the curve.
|
||||||
|
var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
|
||||||
|
|
||||||
|
// ScalarMult sets dst to the product in*base where dst and base are the x
|
||||||
|
// coordinates of group points and all values are in little-endian form.
|
||||||
|
func ScalarMult(dst, in, base *[32]byte) {
|
||||||
|
scalarMult(dst, in, base)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ScalarBaseMult sets dst to the product in*base where dst and base are the x
|
||||||
|
// coordinates of group points, base is the standard generator and all values
|
||||||
|
// are in little-endian form.
|
||||||
|
func ScalarBaseMult(dst, in *[32]byte) {
|
||||||
|
ScalarMult(dst, in, &basePoint)
|
||||||
|
}
|
@ -0,0 +1,94 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
// func freeze(inout *[5]uint64)
|
||||||
|
TEXT ·freeze(SB),7,$96-8
|
||||||
|
MOVQ inout+0(FP), DI
|
||||||
|
|
||||||
|
MOVQ SP,R11
|
||||||
|
MOVQ $31,CX
|
||||||
|
NOTQ CX
|
||||||
|
ANDQ CX,SP
|
||||||
|
ADDQ $32,SP
|
||||||
|
|
||||||
|
MOVQ R11,0(SP)
|
||||||
|
MOVQ R12,8(SP)
|
||||||
|
MOVQ R13,16(SP)
|
||||||
|
MOVQ R14,24(SP)
|
||||||
|
MOVQ R15,32(SP)
|
||||||
|
MOVQ BX,40(SP)
|
||||||
|
MOVQ BP,48(SP)
|
||||||
|
MOVQ 0(DI),SI
|
||||||
|
MOVQ 8(DI),DX
|
||||||
|
MOVQ 16(DI),CX
|
||||||
|
MOVQ 24(DI),R8
|
||||||
|
MOVQ 32(DI),R9
|
||||||
|
MOVQ ·REDMASK51(SB),AX
|
||||||
|
MOVQ AX,R10
|
||||||
|
SUBQ $18,R10
|
||||||
|
MOVQ $3,R11
|
||||||
|
REDUCELOOP:
|
||||||
|
MOVQ SI,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,SI
|
||||||
|
ADDQ R12,DX
|
||||||
|
MOVQ DX,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,DX
|
||||||
|
ADDQ R12,CX
|
||||||
|
MOVQ CX,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,CX
|
||||||
|
ADDQ R12,R8
|
||||||
|
MOVQ R8,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,R8
|
||||||
|
ADDQ R12,R9
|
||||||
|
MOVQ R9,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,R9
|
||||||
|
IMUL3Q $19,R12,R12
|
||||||
|
ADDQ R12,SI
|
||||||
|
SUBQ $1,R11
|
||||||
|
JA REDUCELOOP
|
||||||
|
MOVQ $1,R12
|
||||||
|
CMPQ R10,SI
|
||||||
|
CMOVQLT R11,R12
|
||||||
|
CMPQ AX,DX
|
||||||
|
CMOVQNE R11,R12
|
||||||
|
CMPQ AX,CX
|
||||||
|
CMOVQNE R11,R12
|
||||||
|
CMPQ AX,R8
|
||||||
|
CMOVQNE R11,R12
|
||||||
|
CMPQ AX,R9
|
||||||
|
CMOVQNE R11,R12
|
||||||
|
NEGQ R12
|
||||||
|
ANDQ R12,AX
|
||||||
|
ANDQ R12,R10
|
||||||
|
SUBQ R10,SI
|
||||||
|
SUBQ AX,DX
|
||||||
|
SUBQ AX,CX
|
||||||
|
SUBQ AX,R8
|
||||||
|
SUBQ AX,R9
|
||||||
|
MOVQ SI,0(DI)
|
||||||
|
MOVQ DX,8(DI)
|
||||||
|
MOVQ CX,16(DI)
|
||||||
|
MOVQ R8,24(DI)
|
||||||
|
MOVQ R9,32(DI)
|
||||||
|
MOVQ 0(SP),R11
|
||||||
|
MOVQ 8(SP),R12
|
||||||
|
MOVQ 16(SP),R13
|
||||||
|
MOVQ 24(SP),R14
|
||||||
|
MOVQ 32(SP),R15
|
||||||
|
MOVQ 40(SP),BX
|
||||||
|
MOVQ 48(SP),BP
|
||||||
|
MOVQ R11,SP
|
||||||
|
MOVQ DI,AX
|
||||||
|
MOVQ SI,DX
|
||||||
|
RET
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,240 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
package curve25519
|
||||||
|
|
||||||
|
// These functions are implemented in the .s files. The names of the functions
|
||||||
|
// in the rest of the file are also taken from the SUPERCOP sources to help
|
||||||
|
// people following along.
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func cswap(inout *[5]uint64, v uint64)
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func ladderstep(inout *[5][5]uint64)
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func freeze(inout *[5]uint64)
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func mul(dest, a, b *[5]uint64)
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func square(out, in *[5]uint64)
|
||||||
|
|
||||||
|
// mladder uses a Montgomery ladder to calculate (xr/zr) *= s.
|
||||||
|
func mladder(xr, zr *[5]uint64, s *[32]byte) {
|
||||||
|
var work [5][5]uint64
|
||||||
|
|
||||||
|
work[0] = *xr
|
||||||
|
setint(&work[1], 1)
|
||||||
|
setint(&work[2], 0)
|
||||||
|
work[3] = *xr
|
||||||
|
setint(&work[4], 1)
|
||||||
|
|
||||||
|
j := uint(6)
|
||||||
|
var prevbit byte
|
||||||
|
|
||||||
|
for i := 31; i >= 0; i-- {
|
||||||
|
for j < 8 {
|
||||||
|
bit := ((*s)[i] >> j) & 1
|
||||||
|
swap := bit ^ prevbit
|
||||||
|
prevbit = bit
|
||||||
|
cswap(&work[1], uint64(swap))
|
||||||
|
ladderstep(&work)
|
||||||
|
j--
|
||||||
|
}
|
||||||
|
j = 7
|
||||||
|
}
|
||||||
|
|
||||||
|
*xr = work[1]
|
||||||
|
*zr = work[2]
|
||||||
|
}
|
||||||
|
|
||||||
|
func scalarMult(out, in, base *[32]byte) {
|
||||||
|
var e [32]byte
|
||||||
|
copy(e[:], (*in)[:])
|
||||||
|
e[0] &= 248
|
||||||
|
e[31] &= 127
|
||||||
|
e[31] |= 64
|
||||||
|
|
||||||
|
var t, z [5]uint64
|
||||||
|
unpack(&t, base)
|
||||||
|
mladder(&t, &z, &e)
|
||||||
|
invert(&z, &z)
|
||||||
|
mul(&t, &t, &z)
|
||||||
|
pack(out, &t)
|
||||||
|
}
|
||||||
|
|
||||||
|
func setint(r *[5]uint64, v uint64) {
|
||||||
|
r[0] = v
|
||||||
|
r[1] = 0
|
||||||
|
r[2] = 0
|
||||||
|
r[3] = 0
|
||||||
|
r[4] = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
// unpack sets r = x where r consists of 5, 51-bit limbs in little-endian
|
||||||
|
// order.
|
||||||
|
func unpack(r *[5]uint64, x *[32]byte) {
|
||||||
|
r[0] = uint64(x[0]) |
|
||||||
|
uint64(x[1])<<8 |
|
||||||
|
uint64(x[2])<<16 |
|
||||||
|
uint64(x[3])<<24 |
|
||||||
|
uint64(x[4])<<32 |
|
||||||
|
uint64(x[5])<<40 |
|
||||||
|
uint64(x[6]&7)<<48
|
||||||
|
|
||||||
|
r[1] = uint64(x[6])>>3 |
|
||||||
|
uint64(x[7])<<5 |
|
||||||
|
uint64(x[8])<<13 |
|
||||||
|
uint64(x[9])<<21 |
|
||||||
|
uint64(x[10])<<29 |
|
||||||
|
uint64(x[11])<<37 |
|
||||||
|
uint64(x[12]&63)<<45
|
||||||
|
|
||||||
|
r[2] = uint64(x[12])>>6 |
|
||||||
|
uint64(x[13])<<2 |
|
||||||
|
uint64(x[14])<<10 |
|
||||||
|
uint64(x[15])<<18 |
|
||||||
|
uint64(x[16])<<26 |
|
||||||
|
uint64(x[17])<<34 |
|
||||||
|
uint64(x[18])<<42 |
|
||||||
|
uint64(x[19]&1)<<50
|
||||||
|
|
||||||
|
r[3] = uint64(x[19])>>1 |
|
||||||
|
uint64(x[20])<<7 |
|
||||||
|
uint64(x[21])<<15 |
|
||||||
|
uint64(x[22])<<23 |
|
||||||
|
uint64(x[23])<<31 |
|
||||||
|
uint64(x[24])<<39 |
|
||||||
|
uint64(x[25]&15)<<47
|
||||||
|
|
||||||
|
r[4] = uint64(x[25])>>4 |
|
||||||
|
uint64(x[26])<<4 |
|
||||||
|
uint64(x[27])<<12 |
|
||||||
|
uint64(x[28])<<20 |
|
||||||
|
uint64(x[29])<<28 |
|
||||||
|
uint64(x[30])<<36 |
|
||||||
|
uint64(x[31]&127)<<44
|
||||||
|
}
|
||||||
|
|
||||||
|
// pack sets out = x where out is the usual, little-endian form of the 5,
|
||||||
|
// 51-bit limbs in x.
|
||||||
|
func pack(out *[32]byte, x *[5]uint64) {
|
||||||
|
t := *x
|
||||||
|
freeze(&t)
|
||||||
|
|
||||||
|
out[0] = byte(t[0])
|
||||||
|
out[1] = byte(t[0] >> 8)
|
||||||
|
out[2] = byte(t[0] >> 16)
|
||||||
|
out[3] = byte(t[0] >> 24)
|
||||||
|
out[4] = byte(t[0] >> 32)
|
||||||
|
out[5] = byte(t[0] >> 40)
|
||||||
|
out[6] = byte(t[0] >> 48)
|
||||||
|
|
||||||
|
out[6] ^= byte(t[1]<<3) & 0xf8
|
||||||
|
out[7] = byte(t[1] >> 5)
|
||||||
|
out[8] = byte(t[1] >> 13)
|
||||||
|
out[9] = byte(t[1] >> 21)
|
||||||
|
out[10] = byte(t[1] >> 29)
|
||||||
|
out[11] = byte(t[1] >> 37)
|
||||||
|
out[12] = byte(t[1] >> 45)
|
||||||
|
|
||||||
|
out[12] ^= byte(t[2]<<6) & 0xc0
|
||||||
|
out[13] = byte(t[2] >> 2)
|
||||||
|
out[14] = byte(t[2] >> 10)
|
||||||
|
out[15] = byte(t[2] >> 18)
|
||||||
|
out[16] = byte(t[2] >> 26)
|
||||||
|
out[17] = byte(t[2] >> 34)
|
||||||
|
out[18] = byte(t[2] >> 42)
|
||||||
|
out[19] = byte(t[2] >> 50)
|
||||||
|
|
||||||
|
out[19] ^= byte(t[3]<<1) & 0xfe
|
||||||
|
out[20] = byte(t[3] >> 7)
|
||||||
|
out[21] = byte(t[3] >> 15)
|
||||||
|
out[22] = byte(t[3] >> 23)
|
||||||
|
out[23] = byte(t[3] >> 31)
|
||||||
|
out[24] = byte(t[3] >> 39)
|
||||||
|
out[25] = byte(t[3] >> 47)
|
||||||
|
|
||||||
|
out[25] ^= byte(t[4]<<4) & 0xf0
|
||||||
|
out[26] = byte(t[4] >> 4)
|
||||||
|
out[27] = byte(t[4] >> 12)
|
||||||
|
out[28] = byte(t[4] >> 20)
|
||||||
|
out[29] = byte(t[4] >> 28)
|
||||||
|
out[30] = byte(t[4] >> 36)
|
||||||
|
out[31] = byte(t[4] >> 44)
|
||||||
|
}
|
||||||
|
|
||||||
|
// invert calculates r = x^-1 mod p using Fermat's little theorem.
|
||||||
|
func invert(r *[5]uint64, x *[5]uint64) {
|
||||||
|
var z2, z9, z11, z2_5_0, z2_10_0, z2_20_0, z2_50_0, z2_100_0, t [5]uint64
|
||||||
|
|
||||||
|
square(&z2, x) /* 2 */
|
||||||
|
square(&t, &z2) /* 4 */
|
||||||
|
square(&t, &t) /* 8 */
|
||||||
|
mul(&z9, &t, x) /* 9 */
|
||||||
|
mul(&z11, &z9, &z2) /* 11 */
|
||||||
|
square(&t, &z11) /* 22 */
|
||||||
|
mul(&z2_5_0, &t, &z9) /* 2^5 - 2^0 = 31 */
|
||||||
|
|
||||||
|
square(&t, &z2_5_0) /* 2^6 - 2^1 */
|
||||||
|
for i := 1; i < 5; i++ { /* 2^20 - 2^10 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&z2_10_0, &t, &z2_5_0) /* 2^10 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &z2_10_0) /* 2^11 - 2^1 */
|
||||||
|
for i := 1; i < 10; i++ { /* 2^20 - 2^10 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&z2_20_0, &t, &z2_10_0) /* 2^20 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &z2_20_0) /* 2^21 - 2^1 */
|
||||||
|
for i := 1; i < 20; i++ { /* 2^40 - 2^20 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&t, &t, &z2_20_0) /* 2^40 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^41 - 2^1 */
|
||||||
|
for i := 1; i < 10; i++ { /* 2^50 - 2^10 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&z2_50_0, &t, &z2_10_0) /* 2^50 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &z2_50_0) /* 2^51 - 2^1 */
|
||||||
|
for i := 1; i < 50; i++ { /* 2^100 - 2^50 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&z2_100_0, &t, &z2_50_0) /* 2^100 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &z2_100_0) /* 2^101 - 2^1 */
|
||||||
|
for i := 1; i < 100; i++ { /* 2^200 - 2^100 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&t, &t, &z2_100_0) /* 2^200 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^201 - 2^1 */
|
||||||
|
for i := 1; i < 50; i++ { /* 2^250 - 2^50 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&t, &t, &z2_50_0) /* 2^250 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^251 - 2^1 */
|
||||||
|
square(&t, &t) /* 2^252 - 2^2 */
|
||||||
|
square(&t, &t) /* 2^253 - 2^3 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^254 - 2^4 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^255 - 2^5 */
|
||||||
|
mul(r, &t, &z11) /* 2^255 - 21 */
|
||||||
|
}
|
@ -0,0 +1,191 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
// func mul(dest, a, b *[5]uint64)
|
||||||
|
TEXT ·mul(SB),0,$128-24
|
||||||
|
MOVQ dest+0(FP), DI
|
||||||
|
MOVQ a+8(FP), SI
|
||||||
|
MOVQ b+16(FP), DX
|
||||||
|
|
||||||
|
MOVQ SP,R11
|
||||||
|
MOVQ $31,CX
|
||||||
|
NOTQ CX
|
||||||
|
ANDQ CX,SP
|
||||||
|
ADDQ $32,SP
|
||||||
|
|
||||||
|
MOVQ R11,0(SP)
|
||||||
|
MOVQ R12,8(SP)
|
||||||
|
MOVQ R13,16(SP)
|
||||||
|
MOVQ R14,24(SP)
|
||||||
|
MOVQ R15,32(SP)
|
||||||
|
MOVQ BX,40(SP)
|
||||||
|
MOVQ BP,48(SP)
|
||||||
|
MOVQ DI,56(SP)
|
||||||
|
MOVQ DX,CX
|
||||||
|
MOVQ 24(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MOVQ AX,64(SP)
|
||||||
|
MULQ 16(CX)
|
||||||
|
MOVQ AX,R8
|
||||||
|
MOVQ DX,R9
|
||||||
|
MOVQ 32(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MOVQ AX,72(SP)
|
||||||
|
MULQ 8(CX)
|
||||||
|
ADDQ AX,R8
|
||||||
|
ADCQ DX,R9
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,R8
|
||||||
|
ADCQ DX,R9
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 8(CX)
|
||||||
|
MOVQ AX,R10
|
||||||
|
MOVQ DX,R11
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 16(CX)
|
||||||
|
MOVQ AX,R12
|
||||||
|
MOVQ DX,R13
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
MOVQ AX,R14
|
||||||
|
MOVQ DX,R15
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
MOVQ AX,BX
|
||||||
|
MOVQ DX,BP
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,R10
|
||||||
|
ADCQ DX,R11
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 8(CX)
|
||||||
|
ADDQ AX,R12
|
||||||
|
ADCQ DX,R13
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 16(CX)
|
||||||
|
ADDQ AX,R14
|
||||||
|
ADCQ DX,R15
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
ADDQ AX,BX
|
||||||
|
ADCQ DX,BP
|
||||||
|
MOVQ 8(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
ADDQ AX,R8
|
||||||
|
ADCQ DX,R9
|
||||||
|
MOVQ 16(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,R12
|
||||||
|
ADCQ DX,R13
|
||||||
|
MOVQ 16(SI),AX
|
||||||
|
MULQ 8(CX)
|
||||||
|
ADDQ AX,R14
|
||||||
|
ADCQ DX,R15
|
||||||
|
MOVQ 16(SI),AX
|
||||||
|
MULQ 16(CX)
|
||||||
|
ADDQ AX,BX
|
||||||
|
ADCQ DX,BP
|
||||||
|
MOVQ 16(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
ADDQ AX,R8
|
||||||
|
ADCQ DX,R9
|
||||||
|
MOVQ 16(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
ADDQ AX,R10
|
||||||
|
ADCQ DX,R11
|
||||||
|
MOVQ 24(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,R14
|
||||||
|
ADCQ DX,R15
|
||||||
|
MOVQ 24(SI),AX
|
||||||
|
MULQ 8(CX)
|
||||||
|
ADDQ AX,BX
|
||||||
|
ADCQ DX,BP
|
||||||
|
MOVQ 64(SP),AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
ADDQ AX,R10
|
||||||
|
ADCQ DX,R11
|
||||||
|
MOVQ 64(SP),AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
ADDQ AX,R12
|
||||||
|
ADCQ DX,R13
|
||||||
|
MOVQ 32(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,BX
|
||||||
|
ADCQ DX,BP
|
||||||
|
MOVQ 72(SP),AX
|
||||||
|
MULQ 16(CX)
|
||||||
|
ADDQ AX,R10
|
||||||
|
ADCQ DX,R11
|
||||||
|
MOVQ 72(SP),AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
ADDQ AX,R12
|
||||||
|
ADCQ DX,R13
|
||||||
|
MOVQ 72(SP),AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
ADDQ AX,R14
|
||||||
|
ADCQ DX,R15
|
||||||
|
MOVQ ·REDMASK51(SB),SI
|
||||||
|
SHLQ $13,R9:R8
|
||||||
|
ANDQ SI,R8
|
||||||
|
SHLQ $13,R11:R10
|
||||||
|
ANDQ SI,R10
|
||||||
|
ADDQ R9,R10
|
||||||
|
SHLQ $13,R13:R12
|
||||||
|
ANDQ SI,R12
|
||||||
|
ADDQ R11,R12
|
||||||
|
SHLQ $13,R15:R14
|
||||||
|
ANDQ SI,R14
|
||||||
|
ADDQ R13,R14
|
||||||
|
SHLQ $13,BP:BX
|
||||||
|
ANDQ SI,BX
|
||||||
|
ADDQ R15,BX
|
||||||
|
IMUL3Q $19,BP,DX
|
||||||
|
ADDQ DX,R8
|
||||||
|
MOVQ R8,DX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R10,DX
|
||||||
|
MOVQ DX,CX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ANDQ SI,R8
|
||||||
|
ADDQ R12,DX
|
||||||
|
MOVQ DX,R9
|
||||||
|
SHRQ $51,DX
|
||||||
|
ANDQ SI,CX
|
||||||
|
ADDQ R14,DX
|
||||||
|
MOVQ DX,AX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ANDQ SI,R9
|
||||||
|
ADDQ BX,DX
|
||||||
|
MOVQ DX,R10
|
||||||
|
SHRQ $51,DX
|
||||||
|
ANDQ SI,AX
|
||||||
|
IMUL3Q $19,DX,DX
|
||||||
|
ADDQ DX,R8
|
||||||
|
ANDQ SI,R10
|
||||||
|
MOVQ R8,0(DI)
|
||||||
|
MOVQ CX,8(DI)
|
||||||
|
MOVQ R9,16(DI)
|
||||||
|
MOVQ AX,24(DI)
|
||||||
|
MOVQ R10,32(DI)
|
||||||
|
MOVQ 0(SP),R11
|
||||||
|
MOVQ 8(SP),R12
|
||||||
|
MOVQ 16(SP),R13
|
||||||
|
MOVQ 24(SP),R14
|
||||||
|
MOVQ 32(SP),R15
|
||||||
|
MOVQ 40(SP),BX
|
||||||
|
MOVQ 48(SP),BP
|
||||||
|
MOVQ R11,SP
|
||||||
|
MOVQ DI,AX
|
||||||
|
MOVQ SI,DX
|
||||||
|
RET
|
@ -0,0 +1,153 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
// func square(out, in *[5]uint64)
|
||||||
|
TEXT ·square(SB),7,$96-16
|
||||||
|
MOVQ out+0(FP), DI
|
||||||
|
MOVQ in+8(FP), SI
|
||||||
|
|
||||||
|
MOVQ SP,R11
|
||||||
|
MOVQ $31,CX
|
||||||
|
NOTQ CX
|
||||||
|
ANDQ CX,SP
|
||||||
|
ADDQ $32, SP
|
||||||
|
|
||||||
|
MOVQ R11,0(SP)
|
||||||
|
MOVQ R12,8(SP)
|
||||||
|
MOVQ R13,16(SP)
|
||||||
|
MOVQ R14,24(SP)
|
||||||
|
MOVQ R15,32(SP)
|
||||||
|
MOVQ BX,40(SP)
|
||||||
|
MOVQ BP,48(SP)
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 0(SI)
|
||||||
|
MOVQ AX,CX
|
||||||
|
MOVQ DX,R8
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 8(SI)
|
||||||
|
MOVQ AX,R9
|
||||||
|
MOVQ DX,R10
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 16(SI)
|
||||||
|
MOVQ AX,R11
|
||||||
|
MOVQ DX,R12
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 24(SI)
|
||||||
|
MOVQ AX,R13
|
||||||
|
MOVQ DX,R14
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
MOVQ AX,R15
|
||||||
|
MOVQ DX,BX
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 8(SI)
|
||||||
|
ADDQ AX,R11
|
||||||
|
ADCQ DX,R12
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 16(SI)
|
||||||
|
ADDQ AX,R13
|
||||||
|
ADCQ DX,R14
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 24(SI)
|
||||||
|
ADDQ AX,R15
|
||||||
|
ADCQ DX,BX
|
||||||
|
MOVQ 8(SI),DX
|
||||||
|
IMUL3Q $38,DX,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
ADDQ AX,CX
|
||||||
|
ADCQ DX,R8
|
||||||
|
MOVQ 16(SI),AX
|
||||||
|
MULQ 16(SI)
|
||||||
|
ADDQ AX,R15
|
||||||
|
ADCQ DX,BX
|
||||||
|
MOVQ 16(SI),DX
|
||||||
|
IMUL3Q $38,DX,AX
|
||||||
|
MULQ 24(SI)
|
||||||
|
ADDQ AX,CX
|
||||||
|
ADCQ DX,R8
|
||||||
|
MOVQ 16(SI),DX
|
||||||
|
IMUL3Q $38,DX,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
ADDQ AX,R9
|
||||||
|
ADCQ DX,R10
|
||||||
|
MOVQ 24(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 24(SI)
|
||||||
|
ADDQ AX,R9
|
||||||
|
ADCQ DX,R10
|
||||||
|
MOVQ 24(SI),DX
|
||||||
|
IMUL3Q $38,DX,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
ADDQ AX,R11
|
||||||
|
ADCQ DX,R12
|
||||||
|
MOVQ 32(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
ADDQ AX,R13
|
||||||
|
ADCQ DX,R14
|
||||||
|
MOVQ ·REDMASK51(SB),SI
|
||||||
|
SHLQ $13,R8:CX
|
||||||
|
ANDQ SI,CX
|
||||||
|
SHLQ $13,R10:R9
|
||||||
|
ANDQ SI,R9
|
||||||
|
ADDQ R8,R9
|
||||||
|
SHLQ $13,R12:R11
|
||||||
|
ANDQ SI,R11
|
||||||
|
ADDQ R10,R11
|
||||||
|
SHLQ $13,R14:R13
|
||||||
|
ANDQ SI,R13
|
||||||
|
ADDQ R12,R13
|
||||||
|
SHLQ $13,BX:R15
|
||||||
|
ANDQ SI,R15
|
||||||
|
ADDQ R14,R15
|
||||||
|
IMUL3Q $19,BX,DX
|
||||||
|
ADDQ DX,CX
|
||||||
|
MOVQ CX,DX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R9,DX
|
||||||
|
ANDQ SI,CX
|
||||||
|
MOVQ DX,R8
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R11,DX
|
||||||
|
ANDQ SI,R8
|
||||||
|
MOVQ DX,R9
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R13,DX
|
||||||
|
ANDQ SI,R9
|
||||||
|
MOVQ DX,AX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R15,DX
|
||||||
|
ANDQ SI,AX
|
||||||
|
MOVQ DX,R10
|
||||||
|
SHRQ $51,DX
|
||||||
|
IMUL3Q $19,DX,DX
|
||||||
|
ADDQ DX,CX
|
||||||
|
ANDQ SI,R10
|
||||||
|
MOVQ CX,0(DI)
|
||||||
|
MOVQ R8,8(DI)
|
||||||
|
MOVQ R9,16(DI)
|
||||||
|
MOVQ AX,24(DI)
|
||||||
|
MOVQ R10,32(DI)
|
||||||
|
MOVQ 0(SP),R11
|
||||||
|
MOVQ 8(SP),R12
|
||||||
|
MOVQ 16(SP),R13
|
||||||
|
MOVQ 24(SP),R14
|
||||||
|
MOVQ 32(SP),R15
|
||||||
|
MOVQ 40(SP),BX
|
||||||
|
MOVQ 48(SP),BP
|
||||||
|
MOVQ R11,SP
|
||||||
|
MOVQ DI,AX
|
||||||
|
MOVQ SI,DX
|
||||||
|
RET
|
@ -0,0 +1,181 @@
|
|||||||
|
// Copyright 2016 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package ed25519 implements the Ed25519 signature algorithm. See
|
||||||
|
// http://ed25519.cr.yp.to/.
|
||||||
|
//
|
||||||
|
// These functions are also compatible with the “Ed25519” function defined in
|
||||||
|
// https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-05.
|
||||||
|
package ed25519
|
||||||
|
|
||||||
|
// This code is a port of the public domain, “ref10” implementation of ed25519
|
||||||
|
// from SUPERCOP.
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
cryptorand "crypto/rand"
|
||||||
|
"crypto/sha512"
|
||||||
|
"crypto/subtle"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/ed25519/internal/edwards25519"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// PublicKeySize is the size, in bytes, of public keys as used in this package.
|
||||||
|
PublicKeySize = 32
|
||||||
|
// PrivateKeySize is the size, in bytes, of private keys as used in this package.
|
||||||
|
PrivateKeySize = 64
|
||||||
|
// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
|
||||||
|
SignatureSize = 64
|
||||||
|
)
|
||||||
|
|
||||||
|
// PublicKey is the type of Ed25519 public keys.
|
||||||
|
type PublicKey []byte
|
||||||
|
|
||||||
|
// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.
|
||||||
|
type PrivateKey []byte
|
||||||
|
|
||||||
|
// Public returns the PublicKey corresponding to priv.
|
||||||
|
func (priv PrivateKey) Public() crypto.PublicKey {
|
||||||
|
publicKey := make([]byte, PublicKeySize)
|
||||||
|
copy(publicKey, priv[32:])
|
||||||
|
return PublicKey(publicKey)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign signs the given message with priv.
|
||||||
|
// Ed25519 performs two passes over messages to be signed and therefore cannot
|
||||||
|
// handle pre-hashed messages. Thus opts.HashFunc() must return zero to
|
||||||
|
// indicate the message hasn't been hashed. This can be achieved by passing
|
||||||
|
// crypto.Hash(0) as the value for opts.
|
||||||
|
func (priv PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOpts) (signature []byte, err error) {
|
||||||
|
if opts.HashFunc() != crypto.Hash(0) {
|
||||||
|
return nil, errors.New("ed25519: cannot sign hashed message")
|
||||||
|
}
|
||||||
|
|
||||||
|
return Sign(priv, message), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateKey generates a public/private key pair using entropy from rand.
|
||||||
|
// If rand is nil, crypto/rand.Reader will be used.
|
||||||
|
func GenerateKey(rand io.Reader) (publicKey PublicKey, privateKey PrivateKey, err error) {
|
||||||
|
if rand == nil {
|
||||||
|
rand = cryptorand.Reader
|
||||||
|
}
|
||||||
|
|
||||||
|
privateKey = make([]byte, PrivateKeySize)
|
||||||
|
publicKey = make([]byte, PublicKeySize)
|
||||||
|
_, err = io.ReadFull(rand, privateKey[:32])
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
digest := sha512.Sum512(privateKey[:32])
|
||||||
|
digest[0] &= 248
|
||||||
|
digest[31] &= 127
|
||||||
|
digest[31] |= 64
|
||||||
|
|
||||||
|
var A edwards25519.ExtendedGroupElement
|
||||||
|
var hBytes [32]byte
|
||||||
|
copy(hBytes[:], digest[:])
|
||||||
|
edwards25519.GeScalarMultBase(&A, &hBytes)
|
||||||
|
var publicKeyBytes [32]byte
|
||||||
|
A.ToBytes(&publicKeyBytes)
|
||||||
|
|
||||||
|
copy(privateKey[32:], publicKeyBytes[:])
|
||||||
|
copy(publicKey, publicKeyBytes[:])
|
||||||
|
|
||||||
|
return publicKey, privateKey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign signs the message with privateKey and returns a signature. It will
|
||||||
|
// panic if len(privateKey) is not PrivateKeySize.
|
||||||
|
func Sign(privateKey PrivateKey, message []byte) []byte {
|
||||||
|
if l := len(privateKey); l != PrivateKeySize {
|
||||||
|
panic("ed25519: bad private key length: " + strconv.Itoa(l))
|
||||||
|
}
|
||||||
|
|
||||||
|
h := sha512.New()
|
||||||
|
h.Write(privateKey[:32])
|
||||||
|
|
||||||
|
var digest1, messageDigest, hramDigest [64]byte
|
||||||
|
var expandedSecretKey [32]byte
|
||||||
|
h.Sum(digest1[:0])
|
||||||
|
copy(expandedSecretKey[:], digest1[:])
|
||||||
|
expandedSecretKey[0] &= 248
|
||||||
|
expandedSecretKey[31] &= 63
|
||||||
|
expandedSecretKey[31] |= 64
|
||||||
|
|
||||||
|
h.Reset()
|
||||||
|
h.Write(digest1[32:])
|
||||||
|
h.Write(message)
|
||||||
|
h.Sum(messageDigest[:0])
|
||||||
|
|
||||||
|
var messageDigestReduced [32]byte
|
||||||
|
edwards25519.ScReduce(&messageDigestReduced, &messageDigest)
|
||||||
|
var R edwards25519.ExtendedGroupElement
|
||||||
|
edwards25519.GeScalarMultBase(&R, &messageDigestReduced)
|
||||||
|
|
||||||
|
var encodedR [32]byte
|
||||||
|
R.ToBytes(&encodedR)
|
||||||
|
|
||||||
|
h.Reset()
|
||||||
|
h.Write(encodedR[:])
|
||||||
|
h.Write(privateKey[32:])
|
||||||
|
h.Write(message)
|
||||||
|
h.Sum(hramDigest[:0])
|
||||||
|
var hramDigestReduced [32]byte
|
||||||
|
edwards25519.ScReduce(&hramDigestReduced, &hramDigest)
|
||||||
|
|
||||||
|
var s [32]byte
|
||||||
|
edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced)
|
||||||
|
|
||||||
|
signature := make([]byte, SignatureSize)
|
||||||
|
copy(signature[:], encodedR[:])
|
||||||
|
copy(signature[32:], s[:])
|
||||||
|
|
||||||
|
return signature
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify reports whether sig is a valid signature of message by publicKey. It
|
||||||
|
// will panic if len(publicKey) is not PublicKeySize.
|
||||||
|
func Verify(publicKey PublicKey, message, sig []byte) bool {
|
||||||
|
if l := len(publicKey); l != PublicKeySize {
|
||||||
|
panic("ed25519: bad public key length: " + strconv.Itoa(l))
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(sig) != SignatureSize || sig[63]&224 != 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
var A edwards25519.ExtendedGroupElement
|
||||||
|
var publicKeyBytes [32]byte
|
||||||
|
copy(publicKeyBytes[:], publicKey)
|
||||||
|
if !A.FromBytes(&publicKeyBytes) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
edwards25519.FeNeg(&A.X, &A.X)
|
||||||
|
edwards25519.FeNeg(&A.T, &A.T)
|
||||||
|
|
||||||
|
h := sha512.New()
|
||||||
|
h.Write(sig[:32])
|
||||||
|
h.Write(publicKey[:])
|
||||||
|
h.Write(message)
|
||||||
|
var digest [64]byte
|
||||||
|
h.Sum(digest[:0])
|
||||||
|
|
||||||
|
var hReduced [32]byte
|
||||||
|
edwards25519.ScReduce(&hReduced, &digest)
|
||||||
|
|
||||||
|
var R edwards25519.ProjectiveGroupElement
|
||||||
|
var b [32]byte
|
||||||
|
copy(b[:], sig[32:])
|
||||||
|
edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b)
|
||||||
|
|
||||||
|
var checkR [32]byte
|
||||||
|
R.ToBytes(&checkR)
|
||||||
|
return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
1771
vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/edwards25519.go
generated
vendored
1771
vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/edwards25519.go
generated
vendored
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,282 @@
|
|||||||
|
package ecdh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto"
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"github.com/keybase/go-crypto/curve25519"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
type PublicKey struct {
|
||||||
|
elliptic.Curve
|
||||||
|
X, Y *big.Int
|
||||||
|
}
|
||||||
|
|
||||||
|
type PrivateKey struct {
|
||||||
|
PublicKey
|
||||||
|
X *big.Int
|
||||||
|
}
|
||||||
|
|
||||||
|
// KDF implements Key Derivation Function as described in
|
||||||
|
// https://tools.ietf.org/html/rfc6637#section-7
|
||||||
|
func (e *PublicKey) KDF(S []byte, kdfParams []byte, hash crypto.Hash) []byte {
|
||||||
|
sLen := (e.Curve.Params().P.BitLen() + 7) / 8
|
||||||
|
buf := new(bytes.Buffer)
|
||||||
|
buf.Write([]byte{0, 0, 0, 1})
|
||||||
|
if sLen > len(S) {
|
||||||
|
// zero-pad the S. If we got invalid S (bigger than curve's
|
||||||
|
// P), we are going to produce invalid key. Garbage in,
|
||||||
|
// garbage out.
|
||||||
|
buf.Write(make([]byte, sLen-len(S)))
|
||||||
|
}
|
||||||
|
buf.Write(S)
|
||||||
|
buf.Write(kdfParams)
|
||||||
|
|
||||||
|
hashw := hash.New()
|
||||||
|
|
||||||
|
hashw.Write(buf.Bytes())
|
||||||
|
key := hashw.Sum(nil)
|
||||||
|
|
||||||
|
return key
|
||||||
|
}
|
||||||
|
|
||||||
|
// AESKeyUnwrap implements RFC 3394 Key Unwrapping. See
|
||||||
|
// http://tools.ietf.org/html/rfc3394#section-2.2.1
|
||||||
|
// Note: The second described algorithm ("index-based") is implemented
|
||||||
|
// here.
|
||||||
|
func AESKeyUnwrap(key, cipherText []byte) ([]byte, error) {
|
||||||
|
if len(cipherText)%8 != 0 {
|
||||||
|
return nil, errors.New("cipherText must by a multiple of 64 bits")
|
||||||
|
}
|
||||||
|
|
||||||
|
cipher, err := aes.NewCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
nblocks := len(cipherText)/8 - 1
|
||||||
|
|
||||||
|
// 1) Initialize variables.
|
||||||
|
// - Set A = C[0]
|
||||||
|
var A [aes.BlockSize]byte
|
||||||
|
copy(A[:8], cipherText[:8])
|
||||||
|
|
||||||
|
// For i = 1 to n
|
||||||
|
// Set R[i] = C[i]
|
||||||
|
R := make([]byte, len(cipherText)-8)
|
||||||
|
copy(R, cipherText[8:])
|
||||||
|
|
||||||
|
// 2) Compute intermediate values.
|
||||||
|
for j := 5; j >= 0; j-- {
|
||||||
|
for i := nblocks - 1; i >= 0; i-- {
|
||||||
|
// B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
|
||||||
|
// A = MSB(64, B)
|
||||||
|
t := uint64(nblocks*j + i + 1)
|
||||||
|
At := binary.BigEndian.Uint64(A[:8]) ^ t
|
||||||
|
binary.BigEndian.PutUint64(A[:8], At)
|
||||||
|
|
||||||
|
copy(A[8:], R[i*8:i*8+8])
|
||||||
|
cipher.Decrypt(A[:], A[:])
|
||||||
|
|
||||||
|
// R[i] = LSB(B, 64)
|
||||||
|
copy(R[i*8:i*8+8], A[8:])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3) Output results.
|
||||||
|
// If A is an appropriate initial value (see 2.2.3),
|
||||||
|
for i := 0; i < 8; i++ {
|
||||||
|
if A[i] != 0xA6 {
|
||||||
|
return nil, errors.New("Failed to unwrap key (A is not IV)")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return R, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// AESKeyWrap implements RFC 3394 Key Wrapping. See
|
||||||
|
// https://tools.ietf.org/html/rfc3394#section-2.2.2
|
||||||
|
// Note: The second described algorithm ("index-based") is implemented
|
||||||
|
// here.
|
||||||
|
func AESKeyWrap(key, plainText []byte) ([]byte, error) {
|
||||||
|
if len(plainText)%8 != 0 {
|
||||||
|
return nil, errors.New("plainText must be a multiple of 64 bits")
|
||||||
|
}
|
||||||
|
|
||||||
|
cipher, err := aes.NewCipher(key) // NewCipher checks key size
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
nblocks := len(plainText) / 8
|
||||||
|
|
||||||
|
// 1) Initialize variables.
|
||||||
|
var A [aes.BlockSize]byte
|
||||||
|
// Section 2.2.3.1 -- Initial Value
|
||||||
|
// http://tools.ietf.org/html/rfc3394#section-2.2.3.1
|
||||||
|
for i := 0; i < 8; i++ {
|
||||||
|
A[i] = 0xA6
|
||||||
|
}
|
||||||
|
|
||||||
|
// For i = 1 to n
|
||||||
|
// Set R[i] = P[i]
|
||||||
|
R := make([]byte, len(plainText))
|
||||||
|
copy(R, plainText)
|
||||||
|
|
||||||
|
// 2) Calculate intermediate values.
|
||||||
|
for j := 0; j <= 5; j++ {
|
||||||
|
for i := 0; i < nblocks; i++ {
|
||||||
|
// B = AES(K, A | R[i])
|
||||||
|
copy(A[8:], R[i*8:i*8+8])
|
||||||
|
cipher.Encrypt(A[:], A[:])
|
||||||
|
|
||||||
|
// (Assume B = A)
|
||||||
|
// A = MSB(64, B) ^ t where t = (n*j)+1
|
||||||
|
t := uint64(j*nblocks + i + 1)
|
||||||
|
At := binary.BigEndian.Uint64(A[:8]) ^ t
|
||||||
|
binary.BigEndian.PutUint64(A[:8], At)
|
||||||
|
|
||||||
|
// R[i] = LSB(64, B)
|
||||||
|
copy(R[i*8:i*8+8], A[8:])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3) Output results.
|
||||||
|
// Set C[0] = A
|
||||||
|
// For i = 1 to n
|
||||||
|
// C[i] = R[i]
|
||||||
|
return append(A[:8], R...), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// PadBuffer pads byte buffer buf to a length being multiple of
|
||||||
|
// blockLen. Additional bytes appended to the buffer have value of the
|
||||||
|
// number padded bytes. E.g. if the buffer is 3 bytes short of being
|
||||||
|
// 40 bytes total, the appended bytes will be [03, 03, 03].
|
||||||
|
func PadBuffer(buf []byte, blockLen int) []byte {
|
||||||
|
padding := blockLen - (len(buf) % blockLen)
|
||||||
|
if padding == 0 {
|
||||||
|
return buf
|
||||||
|
}
|
||||||
|
|
||||||
|
padBuf := make([]byte, padding)
|
||||||
|
for i := 0; i < padding; i++ {
|
||||||
|
padBuf[i] = byte(padding)
|
||||||
|
}
|
||||||
|
|
||||||
|
return append(buf, padBuf...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnpadBuffer verifies that buffer contains proper padding and
|
||||||
|
// returns buffer without the padding, or nil if the padding was
|
||||||
|
// invalid.
|
||||||
|
func UnpadBuffer(buf []byte, dataLen int) []byte {
|
||||||
|
padding := len(buf) - dataLen
|
||||||
|
outBuf := buf[:dataLen]
|
||||||
|
|
||||||
|
for i := dataLen; i < len(buf); i++ {
|
||||||
|
if buf[i] != byte(padding) {
|
||||||
|
// Invalid padding - bail out
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return outBuf
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *PublicKey) Encrypt(random io.Reader, kdfParams []byte, plain []byte, hash crypto.Hash, kdfKeySize int) (Vx *big.Int, Vy *big.Int, C []byte, err error) {
|
||||||
|
// Vx, Vy - encryption key
|
||||||
|
|
||||||
|
// Note for Curve 25519 - curve25519 library already does key
|
||||||
|
// clamping in scalarMult, so we can use generic random scalar
|
||||||
|
// generation from elliptic.
|
||||||
|
priv, Vx, Vy, err := elliptic.GenerateKey(e.Curve, random)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sx, Sy - shared secret
|
||||||
|
Sx, _ := e.Curve.ScalarMult(e.X, e.Y, priv)
|
||||||
|
|
||||||
|
// Encrypt the payload with KDF-ed S as the encryption key. Pass
|
||||||
|
// the ciphertext along with V to the recipient. Recipient can
|
||||||
|
// generate S using V and their priv key, and then KDF(S), on
|
||||||
|
// their own, to get encryption key and decrypt the ciphertext,
|
||||||
|
// revealing encryption key for symmetric encryption later.
|
||||||
|
|
||||||
|
plain = PadBuffer(plain, 8)
|
||||||
|
key := e.KDF(Sx.Bytes(), kdfParams, hash)
|
||||||
|
|
||||||
|
// Take only as many bytes from key as the key length (the hash
|
||||||
|
// result might be bigger)
|
||||||
|
encrypted, err := AESKeyWrap(key[:kdfKeySize], plain)
|
||||||
|
|
||||||
|
return Vx, Vy, encrypted, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *PrivateKey) DecryptShared(X, Y *big.Int) []byte {
|
||||||
|
Sx, _ := e.Curve.ScalarMult(X, Y, e.X.Bytes())
|
||||||
|
return Sx.Bytes()
|
||||||
|
}
|
||||||
|
|
||||||
|
func countBits(buffer []byte) int {
|
||||||
|
var headerLen int
|
||||||
|
switch buffer[0] {
|
||||||
|
case 0x4:
|
||||||
|
headerLen = 3
|
||||||
|
case 0x40:
|
||||||
|
headerLen = 7
|
||||||
|
default:
|
||||||
|
// Unexpected header - but we can still count the bits.
|
||||||
|
val := buffer[0]
|
||||||
|
headerLen = 0
|
||||||
|
for val > 0 {
|
||||||
|
val = val / 2
|
||||||
|
headerLen++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return headerLen + (len(buffer)-1)*8
|
||||||
|
}
|
||||||
|
|
||||||
|
// elliptic.Marshal and elliptic.Unmarshal only marshals uncompressed
|
||||||
|
// 0x4 MPI types. These functions will check if the curve is cv25519,
|
||||||
|
// and if so, use 0x40 compressed type to (un)marshal. Otherwise,
|
||||||
|
// elliptic.(Un)marshal will be called.
|
||||||
|
|
||||||
|
// Marshal encodes point into either 0x4 uncompressed point form, or
|
||||||
|
// 0x40 compressed point for Curve 25519.
|
||||||
|
func Marshal(curve elliptic.Curve, x, y *big.Int) (buf []byte, bitSize int) {
|
||||||
|
// NOTE: Read more about MPI encoding in the RFC:
|
||||||
|
// https://tools.ietf.org/html/rfc4880#section-3.2
|
||||||
|
|
||||||
|
// We are required to encode size in bits, counting from the most-
|
||||||
|
// significant non-zero bit. So assuming that the buffer never
|
||||||
|
// starts with 0x00, we only need to count bits in the first byte
|
||||||
|
// - and in current implentation it will always be 0x4 or 0x40.
|
||||||
|
|
||||||
|
cv, ok := curve25519.ToCurve25519(curve)
|
||||||
|
if ok {
|
||||||
|
buf = cv.MarshalType40(x, y)
|
||||||
|
} else {
|
||||||
|
buf = elliptic.Marshal(curve, x, y)
|
||||||
|
}
|
||||||
|
|
||||||
|
return buf, countBits(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unmarshal converts point, serialized by Marshal, into x, y pair.
|
||||||
|
// For 0x40 compressed points (for Curve 25519), y will always be 0.
|
||||||
|
// It is an error if point is not on the curve, On error, x = nil.
|
||||||
|
func Unmarshal(curve elliptic.Curve, data []byte) (x, y *big.Int) {
|
||||||
|
cv, ok := curve25519.ToCurve25519(curve)
|
||||||
|
if ok {
|
||||||
|
return cv.UnmarshalType40(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
return elliptic.Unmarshal(curve, data)
|
||||||
|
}
|
@ -0,0 +1,902 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package openpgp
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/hmac"
|
||||||
|
"encoding/binary"
|
||||||
|
"io"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/armor"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/packet"
|
||||||
|
"github.com/keybase/go-crypto/rsa"
|
||||||
|
)
|
||||||
|
|
||||||
|
// PublicKeyType is the armor type for a PGP public key.
|
||||||
|
var PublicKeyType = "PGP PUBLIC KEY BLOCK"
|
||||||
|
|
||||||
|
// PrivateKeyType is the armor type for a PGP private key.
|
||||||
|
var PrivateKeyType = "PGP PRIVATE KEY BLOCK"
|
||||||
|
|
||||||
|
// An Entity represents the components of an OpenPGP key: a primary public key
|
||||||
|
// (which must be a signing key), one or more identities claimed by that key,
|
||||||
|
// and zero or more subkeys, which may be encryption keys.
|
||||||
|
type Entity struct {
|
||||||
|
PrimaryKey *packet.PublicKey
|
||||||
|
PrivateKey *packet.PrivateKey
|
||||||
|
Identities map[string]*Identity // indexed by Identity.Name
|
||||||
|
Revocations []*packet.Signature
|
||||||
|
// Revocations that are signed by designated revokers. Reading keys
|
||||||
|
// will not verify these revocations, because it won't have access to
|
||||||
|
// issuers' public keys, API consumers should do this instead (or
|
||||||
|
// not, and just assume that the key is probably revoked).
|
||||||
|
UnverifiedRevocations []*packet.Signature
|
||||||
|
Subkeys []Subkey
|
||||||
|
BadSubkeys []BadSubkey
|
||||||
|
}
|
||||||
|
|
||||||
|
// An Identity represents an identity claimed by an Entity and zero or more
|
||||||
|
// assertions by other entities about that claim.
|
||||||
|
type Identity struct {
|
||||||
|
Name string // by convention, has the form "Full Name (comment) <email@example.com>"
|
||||||
|
UserId *packet.UserId
|
||||||
|
SelfSignature *packet.Signature
|
||||||
|
Signatures []*packet.Signature
|
||||||
|
Revocation *packet.Signature
|
||||||
|
}
|
||||||
|
|
||||||
|
// A Subkey is an additional public key in an Entity. Subkeys can be used for
|
||||||
|
// encryption.
|
||||||
|
type Subkey struct {
|
||||||
|
PublicKey *packet.PublicKey
|
||||||
|
PrivateKey *packet.PrivateKey
|
||||||
|
Sig *packet.Signature
|
||||||
|
Revocation *packet.Signature
|
||||||
|
}
|
||||||
|
|
||||||
|
// BadSubkey is one that failed reconstruction, but we'll keep it around for
|
||||||
|
// informational purposes.
|
||||||
|
type BadSubkey struct {
|
||||||
|
Subkey
|
||||||
|
Err error
|
||||||
|
}
|
||||||
|
|
||||||
|
// A Key identifies a specific public key in an Entity. This is either the
|
||||||
|
// Entity's primary key or a subkey.
|
||||||
|
type Key struct {
|
||||||
|
Entity *Entity
|
||||||
|
PublicKey *packet.PublicKey
|
||||||
|
PrivateKey *packet.PrivateKey
|
||||||
|
SelfSignature *packet.Signature
|
||||||
|
KeyFlags packet.KeyFlagBits
|
||||||
|
}
|
||||||
|
|
||||||
|
// A KeyRing provides access to public and private keys.
|
||||||
|
type KeyRing interface {
|
||||||
|
|
||||||
|
// KeysById returns the set of keys that have the given key id.
|
||||||
|
// fp can be optionally supplied, which is the full key fingerprint.
|
||||||
|
// If it's provided, then it must match. This comes up in the case
|
||||||
|
// of GPG subpacket 33.
|
||||||
|
KeysById(id uint64, fp []byte) []Key
|
||||||
|
|
||||||
|
// KeysByIdAndUsage returns the set of keys with the given id
|
||||||
|
// that also meet the key usage given by requiredUsage.
|
||||||
|
// The requiredUsage is expressed as the bitwise-OR of
|
||||||
|
// packet.KeyFlag* values.
|
||||||
|
// fp can be optionally supplied, which is the full key fingerprint.
|
||||||
|
// If it's provided, then it must match. This comes up in the case
|
||||||
|
// of GPG subpacket 33.
|
||||||
|
KeysByIdUsage(id uint64, fp []byte, requiredUsage byte) []Key
|
||||||
|
|
||||||
|
// DecryptionKeys returns all private keys that are valid for
|
||||||
|
// decryption.
|
||||||
|
DecryptionKeys() []Key
|
||||||
|
}
|
||||||
|
|
||||||
|
// primaryIdentity returns the Identity marked as primary or the first identity
|
||||||
|
// if none are so marked.
|
||||||
|
func (e *Entity) primaryIdentity() *Identity {
|
||||||
|
var firstIdentity *Identity
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
if firstIdentity == nil {
|
||||||
|
firstIdentity = ident
|
||||||
|
}
|
||||||
|
if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
|
||||||
|
return ident
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return firstIdentity
|
||||||
|
}
|
||||||
|
|
||||||
|
// encryptionKey returns the best candidate Key for encrypting a message to the
|
||||||
|
// given Entity.
|
||||||
|
func (e *Entity) encryptionKey(now time.Time) (Key, bool) {
|
||||||
|
candidateSubkey := -1
|
||||||
|
|
||||||
|
// Iterate the keys to find the newest key
|
||||||
|
var maxTime time.Time
|
||||||
|
for i, subkey := range e.Subkeys {
|
||||||
|
|
||||||
|
// NOTE(maxtaco)
|
||||||
|
// If there is a Flags subpacket, then we have to follow it, and only
|
||||||
|
// use keys that are marked for Encryption of Communication. If there
|
||||||
|
// isn't a Flags subpacket, and this is an Encrypt-Only key (right now only ElGamal
|
||||||
|
// suffices), then we implicitly use it. The check for primary below is a little
|
||||||
|
// more open-ended, but for now, let's be strict and potentially open up
|
||||||
|
// if we see bugs in the wild.
|
||||||
|
//
|
||||||
|
// One more note: old DSA/ElGamal keys tend not to have the Flags subpacket,
|
||||||
|
// so this sort of thing is pretty important for encrypting to older keys.
|
||||||
|
//
|
||||||
|
if ((subkey.Sig.FlagsValid && subkey.Sig.FlagEncryptCommunications) ||
|
||||||
|
(!subkey.Sig.FlagsValid && subkey.PublicKey.PubKeyAlgo == packet.PubKeyAlgoElGamal)) &&
|
||||||
|
subkey.PublicKey.PubKeyAlgo.CanEncrypt() &&
|
||||||
|
!subkey.Sig.KeyExpired(now) &&
|
||||||
|
subkey.Revocation == nil &&
|
||||||
|
(maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) {
|
||||||
|
candidateSubkey = i
|
||||||
|
maxTime = subkey.Sig.CreationTime
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if candidateSubkey != -1 {
|
||||||
|
subkey := e.Subkeys[candidateSubkey]
|
||||||
|
return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig, subkey.Sig.GetKeyFlags()}, true
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we don't have any candidate subkeys for encryption and
|
||||||
|
// the primary key doesn't have any usage metadata then we
|
||||||
|
// assume that the primary key is ok. Or, if the primary key is
|
||||||
|
// marked as ok to encrypt to, then we can obviously use it.
|
||||||
|
//
|
||||||
|
// NOTE(maxtaco) - see note above, how this policy is a little too open-ended
|
||||||
|
// for my liking, but leave it for now.
|
||||||
|
i := e.primaryIdentity()
|
||||||
|
if (!i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications) &&
|
||||||
|
e.PrimaryKey.PubKeyAlgo.CanEncrypt() &&
|
||||||
|
!i.SelfSignature.KeyExpired(now) {
|
||||||
|
return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature, i.SelfSignature.GetKeyFlags()}, true
|
||||||
|
}
|
||||||
|
|
||||||
|
// This Entity appears to be signing only.
|
||||||
|
return Key{}, false
|
||||||
|
}
|
||||||
|
|
||||||
|
// signingKey return the best candidate Key for signing a message with this
|
||||||
|
// Entity.
|
||||||
|
func (e *Entity) signingKey(now time.Time) (Key, bool) {
|
||||||
|
candidateSubkey := -1
|
||||||
|
|
||||||
|
for i, subkey := range e.Subkeys {
|
||||||
|
if (!subkey.Sig.FlagsValid || subkey.Sig.FlagSign) &&
|
||||||
|
subkey.PrivateKey.PrivateKey != nil &&
|
||||||
|
subkey.PublicKey.PubKeyAlgo.CanSign() &&
|
||||||
|
subkey.Revocation == nil &&
|
||||||
|
!subkey.Sig.KeyExpired(now) {
|
||||||
|
candidateSubkey = i
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if candidateSubkey != -1 {
|
||||||
|
subkey := e.Subkeys[candidateSubkey]
|
||||||
|
return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig, subkey.Sig.GetKeyFlags()}, true
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we have no candidate subkey then we assume that it's ok to sign
|
||||||
|
// with the primary key.
|
||||||
|
i := e.primaryIdentity()
|
||||||
|
if (!i.SelfSignature.FlagsValid || i.SelfSignature.FlagSign) &&
|
||||||
|
e.PrimaryKey.PubKeyAlgo.CanSign() &&
|
||||||
|
!i.SelfSignature.KeyExpired(now) &&
|
||||||
|
e.PrivateKey.PrivateKey != nil {
|
||||||
|
return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature, i.SelfSignature.GetKeyFlags()}, true
|
||||||
|
}
|
||||||
|
|
||||||
|
return Key{}, false
|
||||||
|
}
|
||||||
|
|
||||||
|
// An EntityList contains one or more Entities.
|
||||||
|
type EntityList []*Entity
|
||||||
|
|
||||||
|
func keyMatchesIdAndFingerprint(key *packet.PublicKey, id uint64, fp []byte) bool {
|
||||||
|
if key.KeyId != id {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if fp == nil {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return hmac.Equal(fp, key.Fingerprint[:])
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeysById returns the set of keys that have the given key id.
|
||||||
|
// fp can be optionally supplied, which is the full key fingerprint.
|
||||||
|
// If it's provided, then it must match. This comes up in the case
|
||||||
|
// of GPG subpacket 33.
|
||||||
|
func (el EntityList) KeysById(id uint64, fp []byte) (keys []Key) {
|
||||||
|
for _, e := range el {
|
||||||
|
if keyMatchesIdAndFingerprint(e.PrimaryKey, id, fp) {
|
||||||
|
var selfSig *packet.Signature
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
if selfSig == nil {
|
||||||
|
selfSig = ident.SelfSignature
|
||||||
|
} else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
|
||||||
|
selfSig = ident.SelfSignature
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var keyFlags packet.KeyFlagBits
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
keyFlags.Merge(ident.SelfSignature.GetKeyFlags())
|
||||||
|
}
|
||||||
|
|
||||||
|
keys = append(keys, Key{e, e.PrimaryKey, e.PrivateKey, selfSig, keyFlags})
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, subKey := range e.Subkeys {
|
||||||
|
if keyMatchesIdAndFingerprint(subKey.PublicKey, id, fp) {
|
||||||
|
|
||||||
|
// If there's both a a revocation and a sig, then take the
|
||||||
|
// revocation. Otherwise, we can proceed with the sig.
|
||||||
|
sig := subKey.Revocation
|
||||||
|
if sig == nil {
|
||||||
|
sig = subKey.Sig
|
||||||
|
}
|
||||||
|
|
||||||
|
keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, sig, sig.GetKeyFlags()})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeysByIdAndUsage returns the set of keys with the given id that also meet
|
||||||
|
// the key usage given by requiredUsage. The requiredUsage is expressed as
|
||||||
|
// the bitwise-OR of packet.KeyFlag* values.
|
||||||
|
// fp can be optionally supplied, which is the full key fingerprint.
|
||||||
|
// If it's provided, then it must match. This comes up in the case
|
||||||
|
// of GPG subpacket 33.
|
||||||
|
func (el EntityList) KeysByIdUsage(id uint64, fp []byte, requiredUsage byte) (keys []Key) {
|
||||||
|
for _, key := range el.KeysById(id, fp) {
|
||||||
|
if len(key.Entity.Revocations) > 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if key.SelfSignature.RevocationReason != nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if requiredUsage != 0 {
|
||||||
|
var usage byte
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case key.KeyFlags.Valid:
|
||||||
|
usage = key.KeyFlags.BitField
|
||||||
|
|
||||||
|
case key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoElGamal:
|
||||||
|
// We also need to handle the case where, although the sig's
|
||||||
|
// flags aren't valid, the key can is implicitly usable for
|
||||||
|
// encryption by virtue of being ElGamal. See also the comment
|
||||||
|
// in encryptionKey() above.
|
||||||
|
usage |= packet.KeyFlagEncryptCommunications
|
||||||
|
usage |= packet.KeyFlagEncryptStorage
|
||||||
|
|
||||||
|
case key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoDSA ||
|
||||||
|
key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoECDSA ||
|
||||||
|
key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoEdDSA:
|
||||||
|
usage |= packet.KeyFlagSign
|
||||||
|
|
||||||
|
// For a primary RSA key without any key flags, be as permissiable
|
||||||
|
// as possible.
|
||||||
|
case key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoRSA &&
|
||||||
|
keyMatchesIdAndFingerprint(key.Entity.PrimaryKey, id, fp):
|
||||||
|
usage = (packet.KeyFlagCertify | packet.KeyFlagSign |
|
||||||
|
packet.KeyFlagEncryptCommunications | packet.KeyFlagEncryptStorage)
|
||||||
|
}
|
||||||
|
|
||||||
|
if usage&requiredUsage != requiredUsage {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
keys = append(keys, key)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptionKeys returns all private keys that are valid for decryption.
|
||||||
|
func (el EntityList) DecryptionKeys() (keys []Key) {
|
||||||
|
for _, e := range el {
|
||||||
|
for _, subKey := range e.Subkeys {
|
||||||
|
if subKey.PrivateKey != nil && subKey.PrivateKey.PrivateKey != nil && (!subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) {
|
||||||
|
keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig, subKey.Sig.GetKeyFlags()})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file.
|
||||||
|
func ReadArmoredKeyRing(r io.Reader) (EntityList, error) {
|
||||||
|
block, err := armor.Decode(r)
|
||||||
|
if err == io.EOF {
|
||||||
|
return nil, errors.InvalidArgumentError("no armored data found")
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if block.Type != PublicKeyType && block.Type != PrivateKeyType {
|
||||||
|
return nil, errors.InvalidArgumentError("expected public or private key block, got: " + block.Type)
|
||||||
|
}
|
||||||
|
|
||||||
|
return ReadKeyRing(block.Body)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ReadKeyRing reads one or more public/private keys. Unsupported keys are
|
||||||
|
// ignored as long as at least a single valid key is found.
|
||||||
|
func ReadKeyRing(r io.Reader) (el EntityList, err error) {
|
||||||
|
packets := packet.NewReader(r)
|
||||||
|
var lastUnsupportedError error
|
||||||
|
|
||||||
|
for {
|
||||||
|
var e *Entity
|
||||||
|
e, err = ReadEntity(packets)
|
||||||
|
if err != nil {
|
||||||
|
// TODO: warn about skipped unsupported/unreadable keys
|
||||||
|
if _, ok := err.(errors.UnsupportedError); ok {
|
||||||
|
lastUnsupportedError = err
|
||||||
|
err = readToNextPublicKey(packets)
|
||||||
|
} else if _, ok := err.(errors.StructuralError); ok {
|
||||||
|
// Skip unreadable, badly-formatted keys
|
||||||
|
lastUnsupportedError = err
|
||||||
|
err = readToNextPublicKey(packets)
|
||||||
|
}
|
||||||
|
if err == io.EOF {
|
||||||
|
err = nil
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
el = nil
|
||||||
|
break
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
el = append(el, e)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(el) == 0 && err == nil {
|
||||||
|
err = lastUnsupportedError
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// readToNextPublicKey reads packets until the start of the entity and leaves
|
||||||
|
// the first packet of the new entity in the Reader.
|
||||||
|
func readToNextPublicKey(packets *packet.Reader) (err error) {
|
||||||
|
var p packet.Packet
|
||||||
|
for {
|
||||||
|
p, err = packets.Next()
|
||||||
|
if err == io.EOF {
|
||||||
|
return
|
||||||
|
} else if err != nil {
|
||||||
|
if _, ok := err.(errors.UnsupportedError); ok {
|
||||||
|
err = nil
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if pk, ok := p.(*packet.PublicKey); ok && !pk.IsSubkey {
|
||||||
|
packets.Unread(p)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
|
||||||
|
// ReadEntity reads an entity (public key, identities, subkeys etc) from the
|
||||||
|
// given Reader.
|
||||||
|
func ReadEntity(packets *packet.Reader) (*Entity, error) {
|
||||||
|
e := new(Entity)
|
||||||
|
e.Identities = make(map[string]*Identity)
|
||||||
|
|
||||||
|
p, err := packets.Next()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
if e.PrimaryKey, ok = p.(*packet.PublicKey); !ok {
|
||||||
|
if e.PrivateKey, ok = p.(*packet.PrivateKey); !ok {
|
||||||
|
packets.Unread(p)
|
||||||
|
return nil, errors.StructuralError("first packet was not a public/private key")
|
||||||
|
} else {
|
||||||
|
e.PrimaryKey = &e.PrivateKey.PublicKey
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !e.PrimaryKey.PubKeyAlgo.CanSign() {
|
||||||
|
return nil, errors.StructuralError("primary key cannot be used for signatures")
|
||||||
|
}
|
||||||
|
|
||||||
|
var current *Identity
|
||||||
|
var revocations []*packet.Signature
|
||||||
|
|
||||||
|
designatedRevokers := make(map[uint64]bool)
|
||||||
|
EachPacket:
|
||||||
|
for {
|
||||||
|
p, err := packets.Next()
|
||||||
|
if err == io.EOF {
|
||||||
|
break
|
||||||
|
} else if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
switch pkt := p.(type) {
|
||||||
|
case *packet.UserId:
|
||||||
|
|
||||||
|
// Make a new Identity object, that we might wind up throwing away.
|
||||||
|
// We'll only add it if we get a valid self-signature over this
|
||||||
|
// userID.
|
||||||
|
current = new(Identity)
|
||||||
|
current.Name = pkt.Id
|
||||||
|
current.UserId = pkt
|
||||||
|
case *packet.Signature:
|
||||||
|
if pkt.SigType == packet.SigTypeKeyRevocation {
|
||||||
|
// These revocations won't revoke UIDs (see
|
||||||
|
// SigTypeIdentityRevocation). Handle these first,
|
||||||
|
// because key might have revocation coming from
|
||||||
|
// another key (designated revoke).
|
||||||
|
revocations = append(revocations, pkt)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// These are signatures by other people on this key. Let's just ignore them
|
||||||
|
// from the beginning, since they shouldn't affect our key decoding one way
|
||||||
|
// or the other.
|
||||||
|
if pkt.IssuerKeyId != nil && *pkt.IssuerKeyId != e.PrimaryKey.KeyId {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// If this is a signature made by the keyholder, and the signature has stubbed out
|
||||||
|
// critical packets, then *now* we need to bail out.
|
||||||
|
if e := pkt.StubbedOutCriticalError; e != nil {
|
||||||
|
return nil, e
|
||||||
|
}
|
||||||
|
|
||||||
|
// Next handle the case of a self-signature. According to RFC8440,
|
||||||
|
// Section 5.2.3.3, if there are several self-signatures,
|
||||||
|
// we should take the newer one. If they were both created
|
||||||
|
// at the same time, but one of them has keyflags specified and the
|
||||||
|
// other doesn't, keep the one with the keyflags. We have actually
|
||||||
|
// seen this in the wild (see the 'Yield' test in read_test.go).
|
||||||
|
// If there is a tie, and both have the same value for FlagsValid,
|
||||||
|
// then "last writer wins."
|
||||||
|
//
|
||||||
|
// HOWEVER! We have seen yet more keys in the wild (see the 'Spiros'
|
||||||
|
// test in read_test.go), in which the later self-signature is a bunch
|
||||||
|
// of junk, and doesn't even specify key flags. Does it really make
|
||||||
|
// sense to overwrite reasonable key flags with the empty set? I'm not
|
||||||
|
// sure what that would be trying to achieve, and plus GPG seems to be
|
||||||
|
// ok with this situation, and ignores the later (empty) keyflag set.
|
||||||
|
// So further tighten our overwrite rules, and only allow the later
|
||||||
|
// signature to overwrite the earlier signature if so doing won't
|
||||||
|
// trash the key flags.
|
||||||
|
if current != nil &&
|
||||||
|
(current.SelfSignature == nil ||
|
||||||
|
(!pkt.CreationTime.Before(current.SelfSignature.CreationTime) &&
|
||||||
|
(pkt.FlagsValid || !current.SelfSignature.FlagsValid))) &&
|
||||||
|
(pkt.SigType == packet.SigTypePositiveCert || pkt.SigType == packet.SigTypeGenericCert) &&
|
||||||
|
pkt.IssuerKeyId != nil &&
|
||||||
|
*pkt.IssuerKeyId == e.PrimaryKey.KeyId {
|
||||||
|
|
||||||
|
if err = e.PrimaryKey.VerifyUserIdSignature(current.Name, e.PrimaryKey, pkt); err == nil {
|
||||||
|
|
||||||
|
current.SelfSignature = pkt
|
||||||
|
|
||||||
|
// NOTE(maxtaco) 2016.01.11
|
||||||
|
// Only register an identity once we've gotten a valid self-signature.
|
||||||
|
// It's possible therefore for us to throw away `current` in the case
|
||||||
|
// no valid self-signatures were found. That's OK as long as there are
|
||||||
|
// other identies that make sense.
|
||||||
|
//
|
||||||
|
// NOTE! We might later see a revocation for this very same UID, and it
|
||||||
|
// won't be undone. We've preserved this feature from the original
|
||||||
|
// Google OpenPGP we forked from.
|
||||||
|
e.Identities[current.Name] = current
|
||||||
|
} else {
|
||||||
|
// We really should warn that there was a failure here. Not raise an error
|
||||||
|
// since this really shouldn't be a fail-stop error.
|
||||||
|
}
|
||||||
|
} else if current != nil && pkt.SigType == packet.SigTypeIdentityRevocation {
|
||||||
|
if err = e.PrimaryKey.VerifyUserIdSignature(current.Name, e.PrimaryKey, pkt); err == nil {
|
||||||
|
// Note: we are not removing the identity from
|
||||||
|
// e.Identities. Caller can always filter by Revocation
|
||||||
|
// field to ignore revoked identities.
|
||||||
|
current.Revocation = pkt
|
||||||
|
}
|
||||||
|
} else if pkt.SigType == packet.SigTypeDirectSignature {
|
||||||
|
if err = e.PrimaryKey.VerifyRevocationSignature(e.PrimaryKey, pkt); err == nil {
|
||||||
|
if desig := pkt.DesignatedRevoker; desig != nil {
|
||||||
|
// If it's a designated revoker signature, take last 8 octects
|
||||||
|
// of fingerprint as Key ID and save it to designatedRevokers
|
||||||
|
// map. We consult this map later to see if a foreign
|
||||||
|
// revocation should be added to UnverifiedRevocations.
|
||||||
|
keyID := binary.BigEndian.Uint64(desig.Fingerprint[len(desig.Fingerprint)-8:])
|
||||||
|
designatedRevokers[keyID] = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if current == nil {
|
||||||
|
// NOTE(maxtaco)
|
||||||
|
//
|
||||||
|
// See https://github.com/keybase/client/issues/2666
|
||||||
|
//
|
||||||
|
// There might have been a user attribute picture before this signature,
|
||||||
|
// in which case this is still a valid PGP key. In the future we might
|
||||||
|
// not ignore user attributes (like picture). But either way, it doesn't
|
||||||
|
// make sense to bail out here. Keep looking for other valid signatures.
|
||||||
|
//
|
||||||
|
// Used to be:
|
||||||
|
// return nil, errors.StructuralError("signature packet found before user id packet")
|
||||||
|
} else {
|
||||||
|
current.Signatures = append(current.Signatures, pkt)
|
||||||
|
}
|
||||||
|
case *packet.PrivateKey:
|
||||||
|
if pkt.IsSubkey == false {
|
||||||
|
packets.Unread(p)
|
||||||
|
break EachPacket
|
||||||
|
}
|
||||||
|
err = addSubkey(e, packets, &pkt.PublicKey, pkt)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
case *packet.PublicKey:
|
||||||
|
if pkt.IsSubkey == false {
|
||||||
|
packets.Unread(p)
|
||||||
|
break EachPacket
|
||||||
|
}
|
||||||
|
err = addSubkey(e, packets, pkt, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
// we ignore unknown packets
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(e.Identities) == 0 {
|
||||||
|
return nil, errors.StructuralError("entity without any identities")
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, revocation := range revocations {
|
||||||
|
if revocation.IssuerKeyId == nil || *revocation.IssuerKeyId == e.PrimaryKey.KeyId {
|
||||||
|
// Key revokes itself, something that we can verify.
|
||||||
|
err = e.PrimaryKey.VerifyRevocationSignature(e.PrimaryKey, revocation)
|
||||||
|
if err == nil {
|
||||||
|
e.Revocations = append(e.Revocations, revocation)
|
||||||
|
} else {
|
||||||
|
return nil, errors.StructuralError("revocation signature signed by alternate key")
|
||||||
|
}
|
||||||
|
} else if revocation.IssuerKeyId != nil {
|
||||||
|
if _, ok := designatedRevokers[*revocation.IssuerKeyId]; ok {
|
||||||
|
// Revocation is done by certified designated revoker,
|
||||||
|
// but we can't verify the revocation.
|
||||||
|
e.UnverifiedRevocations = append(e.UnverifiedRevocations, revocation)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return e, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error {
|
||||||
|
var subKey Subkey
|
||||||
|
subKey.PublicKey = pub
|
||||||
|
subKey.PrivateKey = priv
|
||||||
|
var lastErr error
|
||||||
|
for {
|
||||||
|
p, err := packets.Next()
|
||||||
|
if err == io.EOF {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return errors.StructuralError("subkey signature invalid: " + err.Error())
|
||||||
|
}
|
||||||
|
sig, ok := p.(*packet.Signature)
|
||||||
|
if !ok {
|
||||||
|
// Hit a non-signature packet, so assume we're up to the next key
|
||||||
|
packets.Unread(p)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if st := sig.SigType; st != packet.SigTypeSubkeyBinding && st != packet.SigTypeSubkeyRevocation {
|
||||||
|
|
||||||
|
// Note(maxtaco):
|
||||||
|
// We used to error out here, but instead, let's fast-forward past
|
||||||
|
// packets that are in the wrong place (like misplaced 0x13 signatures)
|
||||||
|
// until we get to one that works. For a test case,
|
||||||
|
// see TestWithBadSubkeySignaturePackets.
|
||||||
|
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, sig)
|
||||||
|
if err != nil {
|
||||||
|
// Non valid signature, so again, no need to abandon all hope, just continue;
|
||||||
|
// make a note of the error we hit.
|
||||||
|
lastErr = errors.StructuralError("subkey signature invalid: " + err.Error())
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
switch sig.SigType {
|
||||||
|
case packet.SigTypeSubkeyBinding:
|
||||||
|
// Does the "new" sig set expiration to later date than
|
||||||
|
// "previous" sig?
|
||||||
|
if subKey.Sig == nil || subKey.Sig.ExpiresBeforeOther(sig) {
|
||||||
|
subKey.Sig = sig
|
||||||
|
}
|
||||||
|
case packet.SigTypeSubkeyRevocation:
|
||||||
|
// First writer wins
|
||||||
|
if subKey.Revocation == nil {
|
||||||
|
subKey.Revocation = sig
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if subKey.Sig != nil {
|
||||||
|
e.Subkeys = append(e.Subkeys, subKey)
|
||||||
|
} else {
|
||||||
|
if lastErr == nil {
|
||||||
|
lastErr = errors.StructuralError("Subkey wasn't signed; expected a 'binding' signature")
|
||||||
|
}
|
||||||
|
e.BadSubkeys = append(e.BadSubkeys, BadSubkey{Subkey: subKey, Err: lastErr})
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
const defaultRSAKeyBits = 2048
|
||||||
|
|
||||||
|
// NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
|
||||||
|
// single identity composed of the given full name, comment and email, any of
|
||||||
|
// which may be empty but must not contain any of "()<>\x00".
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) {
|
||||||
|
currentTime := config.Now()
|
||||||
|
|
||||||
|
bits := defaultRSAKeyBits
|
||||||
|
if config != nil && config.RSABits != 0 {
|
||||||
|
bits = config.RSABits
|
||||||
|
}
|
||||||
|
|
||||||
|
uid := packet.NewUserId(name, comment, email)
|
||||||
|
if uid == nil {
|
||||||
|
return nil, errors.InvalidArgumentError("user id field contained invalid characters")
|
||||||
|
}
|
||||||
|
signingPriv, err := rsa.GenerateKey(config.Random(), bits)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
encryptingPriv, err := rsa.GenerateKey(config.Random(), bits)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
e := &Entity{
|
||||||
|
PrimaryKey: packet.NewRSAPublicKey(currentTime, &signingPriv.PublicKey),
|
||||||
|
PrivateKey: packet.NewRSAPrivateKey(currentTime, signingPriv),
|
||||||
|
Identities: make(map[string]*Identity),
|
||||||
|
}
|
||||||
|
isPrimaryId := true
|
||||||
|
e.Identities[uid.Id] = &Identity{
|
||||||
|
Name: uid.Name,
|
||||||
|
UserId: uid,
|
||||||
|
SelfSignature: &packet.Signature{
|
||||||
|
CreationTime: currentTime,
|
||||||
|
SigType: packet.SigTypePositiveCert,
|
||||||
|
PubKeyAlgo: packet.PubKeyAlgoRSA,
|
||||||
|
Hash: config.Hash(),
|
||||||
|
IsPrimaryId: &isPrimaryId,
|
||||||
|
FlagsValid: true,
|
||||||
|
FlagSign: true,
|
||||||
|
FlagCertify: true,
|
||||||
|
IssuerKeyId: &e.PrimaryKey.KeyId,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
e.Subkeys = make([]Subkey, 1)
|
||||||
|
e.Subkeys[0] = Subkey{
|
||||||
|
PublicKey: packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),
|
||||||
|
PrivateKey: packet.NewRSAPrivateKey(currentTime, encryptingPriv),
|
||||||
|
Sig: &packet.Signature{
|
||||||
|
CreationTime: currentTime,
|
||||||
|
SigType: packet.SigTypeSubkeyBinding,
|
||||||
|
PubKeyAlgo: packet.PubKeyAlgoRSA,
|
||||||
|
Hash: config.Hash(),
|
||||||
|
FlagsValid: true,
|
||||||
|
FlagEncryptStorage: true,
|
||||||
|
FlagEncryptCommunications: true,
|
||||||
|
IssuerKeyId: &e.PrimaryKey.KeyId,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
e.Subkeys[0].PublicKey.IsSubkey = true
|
||||||
|
e.Subkeys[0].PrivateKey.IsSubkey = true
|
||||||
|
|
||||||
|
return e, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SerializePrivate serializes an Entity, including private key material, to
|
||||||
|
// the given Writer. For now, it must only be used on an Entity returned from
|
||||||
|
// NewEntity.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) {
|
||||||
|
err = e.PrivateKey.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
err = ident.UserId.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if e.PrivateKey.PrivateKey != nil {
|
||||||
|
err = ident.SelfSignature.SignUserId(ident.UserId.Id, e.PrimaryKey, e.PrivateKey, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
err = ident.SelfSignature.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, subkey := range e.Subkeys {
|
||||||
|
err = subkey.PrivateKey.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// Workaround shortcoming of SignKey(), which doesn't work to reverse-sign
|
||||||
|
// sub-signing keys. So if requested, just reuse the signatures already
|
||||||
|
// available to us (if we read this key from a keyring).
|
||||||
|
if e.PrivateKey.PrivateKey != nil && !config.ReuseSignatures() {
|
||||||
|
err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if subkey.Revocation != nil {
|
||||||
|
err = subkey.Revocation.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
err = subkey.Sig.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize writes the public part of the given Entity to w. (No private
|
||||||
|
// key material will be output).
|
||||||
|
func (e *Entity) Serialize(w io.Writer) error {
|
||||||
|
err := e.PrimaryKey.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
err = ident.UserId.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
err = ident.SelfSignature.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for _, sig := range ident.Signatures {
|
||||||
|
err = sig.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, subkey := range e.Subkeys {
|
||||||
|
err = subkey.PublicKey.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if subkey.Revocation != nil {
|
||||||
|
err = subkey.Revocation.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
err = subkey.Sig.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignIdentity adds a signature to e, from signer, attesting that identity is
|
||||||
|
// associated with e. The provided identity must already be an element of
|
||||||
|
// e.Identities and the private key of signer must have been decrypted if
|
||||||
|
// necessary.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error {
|
||||||
|
if signer.PrivateKey == nil {
|
||||||
|
return errors.InvalidArgumentError("signing Entity must have a private key")
|
||||||
|
}
|
||||||
|
if signer.PrivateKey.Encrypted {
|
||||||
|
return errors.InvalidArgumentError("signing Entity's private key must be decrypted")
|
||||||
|
}
|
||||||
|
ident, ok := e.Identities[identity]
|
||||||
|
if !ok {
|
||||||
|
return errors.InvalidArgumentError("given identity string not found in Entity")
|
||||||
|
}
|
||||||
|
|
||||||
|
sig := &packet.Signature{
|
||||||
|
SigType: packet.SigTypeGenericCert,
|
||||||
|
PubKeyAlgo: signer.PrivateKey.PubKeyAlgo,
|
||||||
|
Hash: config.Hash(),
|
||||||
|
CreationTime: config.Now(),
|
||||||
|
IssuerKeyId: &signer.PrivateKey.KeyId,
|
||||||
|
}
|
||||||
|
if err := sig.SignUserId(identity, e.PrimaryKey, signer.PrivateKey, config); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
ident.Signatures = append(ident.Signatures, sig)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CopySubkeyRevocations copies subkey revocations from the src Entity over
|
||||||
|
// to the receiver entity. We need this because `gpg --export-secret-key` does
|
||||||
|
// not appear to output subkey revocations. In this case we need to manually
|
||||||
|
// merge with the output of `gpg --export`.
|
||||||
|
func (e *Entity) CopySubkeyRevocations(src *Entity) {
|
||||||
|
m := make(map[[20]byte]*packet.Signature)
|
||||||
|
for _, subkey := range src.Subkeys {
|
||||||
|
if subkey.Revocation != nil {
|
||||||
|
m[subkey.PublicKey.Fingerprint] = subkey.Revocation
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for i, subkey := range e.Subkeys {
|
||||||
|
if r := m[subkey.PublicKey.Fingerprint]; r != nil {
|
||||||
|
e.Subkeys[i].Revocation = r
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckDesignatedRevokers will try to confirm any of designated
|
||||||
|
// revocation of entity. For this function to work, revocation
|
||||||
|
// issuer's key should be found in keyring. First successfully
|
||||||
|
// verified designated revocation is returned along with the key that
|
||||||
|
// verified it.
|
||||||
|
func FindVerifiedDesignatedRevoke(keyring KeyRing, entity *Entity) (*packet.Signature, *Key) {
|
||||||
|
for _, sig := range entity.UnverifiedRevocations {
|
||||||
|
if sig.IssuerKeyId == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
issuerKeyId := *sig.IssuerKeyId
|
||||||
|
issuerFingerprint := sig.IssuerFingerprint
|
||||||
|
keys := keyring.KeysByIdUsage(issuerKeyId, issuerFingerprint, packet.KeyFlagSign)
|
||||||
|
if len(keys) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
for _, key := range keys {
|
||||||
|
err := key.PublicKey.VerifyRevocationSignature(entity.PrimaryKey, sig)
|
||||||
|
if err == nil {
|
||||||
|
return sig, &key
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, nil
|
||||||
|
}
|
@ -0,0 +1,104 @@
|
|||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/ecdh"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/s2k"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ECDHKdfParams generates KDF parameters sequence for given
|
||||||
|
// PublicKey. See https://tools.ietf.org/html/rfc6637#section-8
|
||||||
|
func ECDHKdfParams(pub *PublicKey) []byte {
|
||||||
|
buf := new(bytes.Buffer)
|
||||||
|
oid := pub.ec.oid
|
||||||
|
buf.WriteByte(byte(len(oid)))
|
||||||
|
buf.Write(oid)
|
||||||
|
buf.WriteByte(18) // ECDH TYPE
|
||||||
|
pub.ecdh.serialize(buf)
|
||||||
|
buf.WriteString("Anonymous Sender ")
|
||||||
|
buf.Write(pub.Fingerprint[:])
|
||||||
|
return buf.Bytes()
|
||||||
|
}
|
||||||
|
|
||||||
|
func decryptKeyECDH(priv *PrivateKey, X, Y *big.Int, C []byte) (out []byte, err error) {
|
||||||
|
ecdhpriv, ok := priv.PrivateKey.(*ecdh.PrivateKey)
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.InvalidArgumentError("bad internal ECDH key")
|
||||||
|
}
|
||||||
|
|
||||||
|
Sx := ecdhpriv.DecryptShared(X, Y)
|
||||||
|
|
||||||
|
kdfParams := ECDHKdfParams(&priv.PublicKey)
|
||||||
|
hash, ok := s2k.HashIdToHash(byte(priv.ecdh.KdfHash))
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.InvalidArgumentError("invalid hash id in private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
key := ecdhpriv.KDF(Sx, kdfParams, hash)
|
||||||
|
keySize := CipherFunction(priv.ecdh.KdfAlgo).KeySize()
|
||||||
|
|
||||||
|
decrypted, err := ecdh.AESKeyUnwrap(key[:keySize], C)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// We have to "read ahead" to discover real length of the
|
||||||
|
// encryption key and properly unpad buffer.
|
||||||
|
cipherFunc := CipherFunction(decrypted[0])
|
||||||
|
// +3 bytes = 1-byte cipher id and checksum 2-byte checksum.
|
||||||
|
out = ecdh.UnpadBuffer(decrypted, cipherFunc.KeySize()+3)
|
||||||
|
if out == nil {
|
||||||
|
return nil, errors.InvalidArgumentError("invalid padding while ECDH")
|
||||||
|
}
|
||||||
|
return out, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeEncryptedKeyECDH(w io.Writer, rand io.Reader, header [10]byte, pub *PublicKey, keyBlock []byte) error {
|
||||||
|
ecdhpub := pub.PublicKey.(*ecdh.PublicKey)
|
||||||
|
kdfParams := ECDHKdfParams(pub)
|
||||||
|
|
||||||
|
hash, ok := s2k.HashIdToHash(byte(pub.ecdh.KdfHash))
|
||||||
|
if !ok {
|
||||||
|
return errors.InvalidArgumentError("invalid hash id in private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
kdfKeySize := CipherFunction(pub.ecdh.KdfAlgo).KeySize()
|
||||||
|
Vx, Vy, C, err := ecdhpub.Encrypt(rand, kdfParams, keyBlock, hash, kdfKeySize)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
mpis, mpiBitLen := ecdh.Marshal(ecdhpub.Curve, Vx, Vy)
|
||||||
|
|
||||||
|
packetLen := len(header) /* header length in bytes */
|
||||||
|
packetLen += 2 /* mpi length in bits */ + len(mpis)
|
||||||
|
packetLen += 1 /* ciphertext size in bytes */ + len(C)
|
||||||
|
|
||||||
|
err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = w.Write(header[:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = w.Write([]byte{byte(mpiBitLen >> 8), byte(mpiBitLen)})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = w.Write(mpis[:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
w.Write([]byte{byte(len(C))})
|
||||||
|
w.Write(C[:])
|
||||||
|
return nil
|
||||||
|
}
|
@ -0,0 +1,7 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
patch < sig-v3.patch
|
||||||
|
patch < s2k-gnu-dummy.patch
|
||||||
|
find . -type f -name '*.go' -exec sed -i'' -e 's/golang.org\/x\/crypto\/openpgp/github.com\/keybase\/go-crypto\/openpgp/' {} \;
|
||||||
|
find . -type f -name '*.go-e' -exec rm {} \;
|
||||||
|
go test ./...
|
@ -0,0 +1,135 @@
|
|||||||
|
diff --git a/openpgp/read.go b/openpgp/read.go
|
||||||
|
index a6cecc5..0c9397b 100644
|
||||||
|
--- a/openpgp/read.go
|
||||||
|
+++ b/openpgp/read.go
|
||||||
|
@@ -56,8 +56,9 @@ type MessageDetails struct {
|
||||||
|
// been consumed. Once EOF has been seen, the following fields are
|
||||||
|
// valid. (An authentication code failure is reported as a
|
||||||
|
// SignatureError error when reading from UnverifiedBody.)
|
||||||
|
- SignatureError error // nil if the signature is good.
|
||||||
|
- Signature *packet.Signature // the signature packet itself.
|
||||||
|
+ SignatureError error // nil if the signature is good.
|
||||||
|
+ Signature *packet.Signature // the signature packet itself, if v4 (default)
|
||||||
|
+ SignatureV3 *packet.SignatureV3 // the signature packet if it is a v2 or v3 signature
|
||||||
|
|
||||||
|
decrypted io.ReadCloser
|
||||||
|
}
|
||||||
|
@@ -334,13 +335,15 @@ func (scr *signatureCheckReader) Read(buf []byte) (n int, err error) {
|
||||||
|
}
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
- if scr.md.Signature, ok = p.(*packet.Signature); !ok {
|
||||||
|
+ if scr.md.Signature, ok = p.(*packet.Signature); ok {
|
||||||
|
+ scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature)
|
||||||
|
+ } else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok {
|
||||||
|
+ scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3)
|
||||||
|
+ } else {
|
||||||
|
scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
- scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature)
|
||||||
|
-
|
||||||
|
// The SymmetricallyEncrypted packet, if any, might have an
|
||||||
|
// unsigned hash of its own. In order to check this we need to
|
||||||
|
// close that Reader.
|
||||||
|
diff --git a/openpgp/read_test.go b/openpgp/read_test.go
|
||||||
|
index 52f942c..abe8d7b 100644
|
||||||
|
--- a/openpgp/read_test.go
|
||||||
|
+++ b/openpgp/read_test.go
|
||||||
|
@@ -13,6 +13,7 @@ import (
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
+ "golang.org/x/crypto/openpgp/armor"
|
||||||
|
"golang.org/x/crypto/openpgp/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
@@ -411,6 +412,50 @@ func TestIssue11504(t *testing.T) {
|
||||||
|
testReadMessageError(t, "9303000130303030303030303030983002303030303030030000000130")
|
||||||
|
}
|
||||||
|
|
||||||
|
+// TestSignatureV3Message tests the verification of V3 signature, generated
|
||||||
|
+// with a modern V4-style key. Some people have their clients set to generate
|
||||||
|
+// V3 signatures, so it's useful to be able to verify them.
|
||||||
|
+func TestSignatureV3Message(t *testing.T) {
|
||||||
|
+ sig, err := armor.Decode(strings.NewReader(signedMessageV3))
|
||||||
|
+ if err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ key, err := ReadArmoredKeyRing(strings.NewReader(keyV4forVerifyingSignedMessageV3))
|
||||||
|
+ if err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ md, err := ReadMessage(sig.Body, key, nil, nil)
|
||||||
|
+ if err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ _, err = ioutil.ReadAll(md.UnverifiedBody)
|
||||||
|
+ if err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // We'll see a sig error here after reading in the UnverifiedBody above,
|
||||||
|
+ // if there was one to see.
|
||||||
|
+ if err = md.SignatureError; err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if md.SignatureV3 == nil {
|
||||||
|
+ t.Errorf("No available signature after checking signature")
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ if md.Signature != nil {
|
||||||
|
+ t.Errorf("Did not expect a signature V4 back")
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ return
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
const testKey1KeyId = 0xA34D7E18C20C31BB
|
||||||
|
const testKey3KeyId = 0x338934250CCC0360
|
||||||
|
|
||||||
|
@@ -504,3 +549,36 @@ const unknownHashFunctionHex = `8a00000040040001990006050253863c24000a09103b4fe6
|
||||||
|
const missingHashFunctionHex = `8a00000040040001030006050253863c24000a09103b4fe6acc0b21f32ffff0101010101010101010101010101010101010101010101010101010101010101010101010101`
|
||||||
|
|
||||||
|
const campbellQuine = `a0b001000300fcffa0b001000d00f2ff000300fcffa0b001000d00f2ff8270a01c00000500faff8270a01c00000500faff000500faff001400ebff8270a01c00000500faff000500faff001400ebff428821c400001400ebff428821c400001400ebff428821c400001400ebff428821c400001400ebff428821c400000000ffff000000ffff000b00f4ff428821c400000000ffff000000ffff000b00f4ff0233214c40000100feff000233214c40000100feff0000`
|
||||||
|
+
|
||||||
|
+const keyV4forVerifyingSignedMessageV3 = `-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
+Comment: GPGTools - https://gpgtools.org
|
||||||
|
+
|
||||||
|
+mI0EVfxoFQEEAMBIqmbDfYygcvP6Phr1wr1XI41IF7Qixqybs/foBF8qqblD9gIY
|
||||||
|
+BKpXjnBOtbkcVOJ0nljd3/sQIfH4E0vQwK5/4YRQSI59eKOqd6Fx+fWQOLG+uu6z
|
||||||
|
+tewpeCj9LLHvibx/Sc7VWRnrznia6ftrXxJ/wHMezSab3tnGC0YPVdGNABEBAAG0
|
||||||
|
+JEdvY3J5cHRvIFRlc3QgS2V5IDx0aGVtYXhAZ21haWwuY29tPoi5BBMBCgAjBQJV
|
||||||
|
+/GgVAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQeXnQmhdGW9PFVAP+
|
||||||
|
+K7TU0qX5ArvIONIxh/WAweyOk884c5cE8f+3NOPOOCRGyVy0FId5A7MmD5GOQh4H
|
||||||
|
+JseOZVEVCqlmngEvtHZb3U1VYtVGE5WZ+6rQhGsMcWP5qaT4soYwMBlSYxgYwQcx
|
||||||
|
+YhN9qOr292f9j2Y//TTIJmZT4Oa+lMxhWdqTfX+qMgG4jQRV/GgVAQQArhFSiij1
|
||||||
|
+b+hT3dnapbEU+23Z1yTu1DfF6zsxQ4XQWEV3eR8v+8mEDDNcz8oyyF56k6UQ3rXi
|
||||||
|
+UMTIwRDg4V6SbZmaFbZYCOwp/EmXJ3rfhm7z7yzXj2OFN22luuqbyVhuL7LRdB0M
|
||||||
|
+pxgmjXb4tTvfgKd26x34S+QqUJ7W6uprY4sAEQEAAYifBBgBCgAJBQJV/GgVAhsM
|
||||||
|
+AAoJEHl50JoXRlvT7y8D/02ckx4OMkKBZo7viyrBw0MLG92i+DC2bs35PooHR6zz
|
||||||
|
+786mitjOp5z2QWNLBvxC70S0qVfCIz8jKupO1J6rq6Z8CcbLF3qjm6h1omUBf8Nd
|
||||||
|
+EfXKD2/2HV6zMKVknnKzIEzauh+eCKS2CeJUSSSryap/QLVAjRnckaES/OsEWhNB
|
||||||
|
+=RZia
|
||||||
|
+-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
+`
|
||||||
|
+
|
||||||
|
+const signedMessageV3 = `-----BEGIN PGP MESSAGE-----
|
||||||
|
+Comment: GPGTools - https://gpgtools.org
|
||||||
|
+
|
||||||
|
+owGbwMvMwMVYWXlhlrhb9GXG03JJDKF/MtxDMjKLFYAoUaEktbhEITe1uDgxPVWP
|
||||||
|
+q5NhKjMrWAVcC9evD8z/bF/uWNjqtk/X3y5/38XGRQHm/57rrDRYuGnTw597Xqka
|
||||||
|
+uM3137/hH3Os+Jf2dc0fXOITKwJvXJvecPVs0ta+Vg7ZO1MLn8w58Xx+6L58mbka
|
||||||
|
+DGHyU9yTueZE8D+QF/Tz28Y78dqtF56R1VPn9Xw4uJqrWYdd7b3vIZ1V6R4Nh05d
|
||||||
|
+iT57d/OhWwA=
|
||||||
|
+=hG7R
|
||||||
|
+-----END PGP MESSAGE-----
|
||||||
|
+`
|
@ -0,0 +1,325 @@
|
|||||||
|
// Copyright 2009 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package rsa
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/subtle"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
// This file implements encryption and decryption using PKCS#1 v1.5 padding.
|
||||||
|
|
||||||
|
// PKCS1v15DecrypterOpts is for passing options to PKCS#1 v1.5 decryption using
|
||||||
|
// the crypto.Decrypter interface.
|
||||||
|
type PKCS1v15DecryptOptions struct {
|
||||||
|
// SessionKeyLen is the length of the session key that is being
|
||||||
|
// decrypted. If not zero, then a padding error during decryption will
|
||||||
|
// cause a random plaintext of this length to be returned rather than
|
||||||
|
// an error. These alternatives happen in constant time.
|
||||||
|
SessionKeyLen int
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptPKCS1v15 encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5.
|
||||||
|
// The message must be no longer than the length of the public modulus minus 11 bytes.
|
||||||
|
//
|
||||||
|
// The rand parameter is used as a source of entropy to ensure that encrypting
|
||||||
|
// the same message twice doesn't result in the same ciphertext.
|
||||||
|
//
|
||||||
|
// WARNING: use of this function to encrypt plaintexts other than session keys
|
||||||
|
// is dangerous. Use RSA OAEP in new protocols.
|
||||||
|
func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) (out []byte, err error) {
|
||||||
|
if err := checkPub(pub); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
k := (pub.N.BitLen() + 7) / 8
|
||||||
|
if len(msg) > k-11 {
|
||||||
|
err = ErrMessageTooLong
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// EM = 0x00 || 0x02 || PS || 0x00 || M
|
||||||
|
em := make([]byte, k)
|
||||||
|
em[1] = 2
|
||||||
|
ps, mm := em[2:len(em)-len(msg)-1], em[len(em)-len(msg):]
|
||||||
|
err = nonZeroRandomBytes(ps, rand)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
em[len(em)-len(msg)-1] = 0
|
||||||
|
copy(mm, msg)
|
||||||
|
|
||||||
|
m := new(big.Int).SetBytes(em)
|
||||||
|
c := encrypt(new(big.Int), pub, m)
|
||||||
|
|
||||||
|
copyWithLeftPad(em, c.Bytes())
|
||||||
|
out = em
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5.
|
||||||
|
// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
|
||||||
|
//
|
||||||
|
// Note that whether this function returns an error or not discloses secret
|
||||||
|
// information. If an attacker can cause this function to run repeatedly and
|
||||||
|
// learn whether each instance returned an error then they can decrypt and
|
||||||
|
// forge signatures as if they had the private key. See
|
||||||
|
// DecryptPKCS1v15SessionKey for a way of solving this problem.
|
||||||
|
func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (out []byte, err error) {
|
||||||
|
if err := checkPub(&priv.PublicKey); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
valid, out, index, err := decryptPKCS1v15(rand, priv, ciphertext)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if valid == 0 {
|
||||||
|
return nil, ErrDecryption
|
||||||
|
}
|
||||||
|
out = out[index:]
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptPKCS1v15SessionKey decrypts a session key using RSA and the padding scheme from PKCS#1 v1.5.
|
||||||
|
// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
|
||||||
|
// It returns an error if the ciphertext is the wrong length or if the
|
||||||
|
// ciphertext is greater than the public modulus. Otherwise, no error is
|
||||||
|
// returned. If the padding is valid, the resulting plaintext message is copied
|
||||||
|
// into key. Otherwise, key is unchanged. These alternatives occur in constant
|
||||||
|
// time. It is intended that the user of this function generate a random
|
||||||
|
// session key beforehand and continue the protocol with the resulting value.
|
||||||
|
// This will remove any possibility that an attacker can learn any information
|
||||||
|
// about the plaintext.
|
||||||
|
// See ``Chosen Ciphertext Attacks Against Protocols Based on the RSA
|
||||||
|
// Encryption Standard PKCS #1'', Daniel Bleichenbacher, Advances in Cryptology
|
||||||
|
// (Crypto '98).
|
||||||
|
//
|
||||||
|
// Note that if the session key is too small then it may be possible for an
|
||||||
|
// attacker to brute-force it. If they can do that then they can learn whether
|
||||||
|
// a random value was used (because it'll be different for the same ciphertext)
|
||||||
|
// and thus whether the padding was correct. This defeats the point of this
|
||||||
|
// function. Using at least a 16-byte key will protect against this attack.
|
||||||
|
func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []byte, key []byte) (err error) {
|
||||||
|
if err := checkPub(&priv.PublicKey); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
k := (priv.N.BitLen() + 7) / 8
|
||||||
|
if k-(len(key)+3+8) < 0 {
|
||||||
|
return ErrDecryption
|
||||||
|
}
|
||||||
|
|
||||||
|
valid, em, index, err := decryptPKCS1v15(rand, priv, ciphertext)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(em) != k {
|
||||||
|
// This should be impossible because decryptPKCS1v15 always
|
||||||
|
// returns the full slice.
|
||||||
|
return ErrDecryption
|
||||||
|
}
|
||||||
|
|
||||||
|
valid &= subtle.ConstantTimeEq(int32(len(em)-index), int32(len(key)))
|
||||||
|
subtle.ConstantTimeCopy(valid, key, em[len(em)-len(key):])
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// decryptPKCS1v15 decrypts ciphertext using priv and blinds the operation if
|
||||||
|
// rand is not nil. It returns one or zero in valid that indicates whether the
|
||||||
|
// plaintext was correctly structured. In either case, the plaintext is
|
||||||
|
// returned in em so that it may be read independently of whether it was valid
|
||||||
|
// in order to maintain constant memory access patterns. If the plaintext was
|
||||||
|
// valid then index contains the index of the original message in em.
|
||||||
|
func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) {
|
||||||
|
k := (priv.N.BitLen() + 7) / 8
|
||||||
|
if k < 11 {
|
||||||
|
err = ErrDecryption
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
c := new(big.Int).SetBytes(ciphertext)
|
||||||
|
m, err := decrypt(rand, priv, c)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
em = leftPad(m.Bytes(), k)
|
||||||
|
firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
|
||||||
|
secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2)
|
||||||
|
|
||||||
|
// The remainder of the plaintext must be a string of non-zero random
|
||||||
|
// octets, followed by a 0, followed by the message.
|
||||||
|
// lookingForIndex: 1 iff we are still looking for the zero.
|
||||||
|
// index: the offset of the first zero byte.
|
||||||
|
lookingForIndex := 1
|
||||||
|
|
||||||
|
for i := 2; i < len(em); i++ {
|
||||||
|
equals0 := subtle.ConstantTimeByteEq(em[i], 0)
|
||||||
|
index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index)
|
||||||
|
lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex)
|
||||||
|
}
|
||||||
|
|
||||||
|
// The PS padding must be at least 8 bytes long, and it starts two
|
||||||
|
// bytes into em.
|
||||||
|
validPS := subtle.ConstantTimeLessOrEq(2+8, index)
|
||||||
|
|
||||||
|
valid = firstByteIsZero & secondByteIsTwo & (^lookingForIndex & 1) & validPS
|
||||||
|
index = subtle.ConstantTimeSelect(valid, index+1, 0)
|
||||||
|
return valid, em, index, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// nonZeroRandomBytes fills the given slice with non-zero random octets.
|
||||||
|
func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) {
|
||||||
|
_, err = io.ReadFull(rand, s)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := 0; i < len(s); i++ {
|
||||||
|
for s[i] == 0 {
|
||||||
|
_, err = io.ReadFull(rand, s[i:i+1])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// In tests, the PRNG may return all zeros so we do
|
||||||
|
// this to break the loop.
|
||||||
|
s[i] ^= 0x42
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// These are ASN1 DER structures:
|
||||||
|
// DigestInfo ::= SEQUENCE {
|
||||||
|
// digestAlgorithm AlgorithmIdentifier,
|
||||||
|
// digest OCTET STRING
|
||||||
|
// }
|
||||||
|
// For performance, we don't use the generic ASN1 encoder. Rather, we
|
||||||
|
// precompute a prefix of the digest value that makes a valid ASN1 DER string
|
||||||
|
// with the correct contents.
|
||||||
|
var hashPrefixes = map[crypto.Hash][]byte{
|
||||||
|
crypto.MD5: {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
|
||||||
|
crypto.SHA1: {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14},
|
||||||
|
crypto.SHA224: {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
|
||||||
|
crypto.SHA256: {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
|
||||||
|
crypto.SHA384: {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
|
||||||
|
crypto.SHA512: {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
|
||||||
|
crypto.MD5SHA1: {}, // A special TLS case which doesn't use an ASN1 prefix.
|
||||||
|
crypto.RIPEMD160: {0x30, 0x20, 0x30, 0x08, 0x06, 0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31, 0x04, 0x14},
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignPKCS1v15 calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5.
|
||||||
|
// Note that hashed must be the result of hashing the input message using the
|
||||||
|
// given hash function. If hash is zero, hashed is signed directly. This isn't
|
||||||
|
// advisable except for interoperability.
|
||||||
|
//
|
||||||
|
// If rand is not nil then RSA blinding will be used to avoid timing side-channel attacks.
|
||||||
|
//
|
||||||
|
// This function is deterministic. Thus, if the set of possible messages is
|
||||||
|
// small, an attacker may be able to build a map from messages to signatures
|
||||||
|
// and identify the signed messages. As ever, signatures provide authenticity,
|
||||||
|
// not confidentiality.
|
||||||
|
func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte) (s []byte, err error) {
|
||||||
|
hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
tLen := len(prefix) + hashLen
|
||||||
|
k := (priv.N.BitLen() + 7) / 8
|
||||||
|
if k < tLen+11 {
|
||||||
|
return nil, ErrMessageTooLong
|
||||||
|
}
|
||||||
|
|
||||||
|
// EM = 0x00 || 0x01 || PS || 0x00 || T
|
||||||
|
em := make([]byte, k)
|
||||||
|
em[1] = 1
|
||||||
|
for i := 2; i < k-tLen-1; i++ {
|
||||||
|
em[i] = 0xff
|
||||||
|
}
|
||||||
|
copy(em[k-tLen:k-hashLen], prefix)
|
||||||
|
copy(em[k-hashLen:k], hashed)
|
||||||
|
|
||||||
|
m := new(big.Int).SetBytes(em)
|
||||||
|
c, err := decryptAndCheck(rand, priv, m)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
copyWithLeftPad(em, c.Bytes())
|
||||||
|
s = em
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyPKCS1v15 verifies an RSA PKCS#1 v1.5 signature.
|
||||||
|
// hashed is the result of hashing the input message using the given hash
|
||||||
|
// function and sig is the signature. A valid signature is indicated by
|
||||||
|
// returning a nil error. If hash is zero then hashed is used directly. This
|
||||||
|
// isn't advisable except for interoperability.
|
||||||
|
func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) (err error) {
|
||||||
|
hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
tLen := len(prefix) + hashLen
|
||||||
|
k := (pub.N.BitLen() + 7) / 8
|
||||||
|
if k < tLen+11 {
|
||||||
|
err = ErrVerification
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
c := new(big.Int).SetBytes(sig)
|
||||||
|
m := encrypt(new(big.Int), pub, c)
|
||||||
|
em := leftPad(m.Bytes(), k)
|
||||||
|
// EM = 0x00 || 0x01 || PS || 0x00 || T
|
||||||
|
|
||||||
|
ok := subtle.ConstantTimeByteEq(em[0], 0)
|
||||||
|
ok &= subtle.ConstantTimeByteEq(em[1], 1)
|
||||||
|
ok &= subtle.ConstantTimeCompare(em[k-hashLen:k], hashed)
|
||||||
|
ok &= subtle.ConstantTimeCompare(em[k-tLen:k-hashLen], prefix)
|
||||||
|
ok &= subtle.ConstantTimeByteEq(em[k-tLen-1], 0)
|
||||||
|
|
||||||
|
for i := 2; i < k-tLen-1; i++ {
|
||||||
|
ok &= subtle.ConstantTimeByteEq(em[i], 0xff)
|
||||||
|
}
|
||||||
|
|
||||||
|
if ok != 1 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func pkcs1v15HashInfo(hash crypto.Hash, inLen int) (hashLen int, prefix []byte, err error) {
|
||||||
|
// Special case: crypto.Hash(0) is used to indicate that the data is
|
||||||
|
// signed directly.
|
||||||
|
if hash == 0 {
|
||||||
|
return inLen, nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
hashLen = hash.Size()
|
||||||
|
if inLen != hashLen {
|
||||||
|
return 0, nil, errors.New("crypto/rsa: input must be hashed message")
|
||||||
|
}
|
||||||
|
prefix, ok := hashPrefixes[hash]
|
||||||
|
if !ok {
|
||||||
|
return 0, nil, errors.New("crypto/rsa: unsupported hash function")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// copyWithLeftPad copies src to the end of dest, padding with zero bytes as
|
||||||
|
// needed.
|
||||||
|
func copyWithLeftPad(dest, src []byte) {
|
||||||
|
numPaddingBytes := len(dest) - len(src)
|
||||||
|
for i := 0; i < numPaddingBytes; i++ {
|
||||||
|
dest[i] = 0
|
||||||
|
}
|
||||||
|
copy(dest[numPaddingBytes:], src)
|
||||||
|
}
|
@ -0,0 +1,297 @@
|
|||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package rsa
|
||||||
|
|
||||||
|
// This file implements the PSS signature scheme [1].
|
||||||
|
//
|
||||||
|
// [1] http://www.rsa.com/rsalabs/pkcs/files/h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto"
|
||||||
|
"errors"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byte, error) {
|
||||||
|
// See [1], section 9.1.1
|
||||||
|
hLen := hash.Size()
|
||||||
|
sLen := len(salt)
|
||||||
|
emLen := (emBits + 7) / 8
|
||||||
|
|
||||||
|
// 1. If the length of M is greater than the input limitation for the
|
||||||
|
// hash function (2^61 - 1 octets for SHA-1), output "message too
|
||||||
|
// long" and stop.
|
||||||
|
//
|
||||||
|
// 2. Let mHash = Hash(M), an octet string of length hLen.
|
||||||
|
|
||||||
|
if len(mHash) != hLen {
|
||||||
|
return nil, errors.New("crypto/rsa: input must be hashed message")
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3. If emLen < hLen + sLen + 2, output "encoding error" and stop.
|
||||||
|
|
||||||
|
if emLen < hLen+sLen+2 {
|
||||||
|
return nil, errors.New("crypto/rsa: encoding error")
|
||||||
|
}
|
||||||
|
|
||||||
|
em := make([]byte, emLen)
|
||||||
|
db := em[:emLen-sLen-hLen-2+1+sLen]
|
||||||
|
h := em[emLen-sLen-hLen-2+1+sLen : emLen-1]
|
||||||
|
|
||||||
|
// 4. Generate a random octet string salt of length sLen; if sLen = 0,
|
||||||
|
// then salt is the empty string.
|
||||||
|
//
|
||||||
|
// 5. Let
|
||||||
|
// M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt;
|
||||||
|
//
|
||||||
|
// M' is an octet string of length 8 + hLen + sLen with eight
|
||||||
|
// initial zero octets.
|
||||||
|
//
|
||||||
|
// 6. Let H = Hash(M'), an octet string of length hLen.
|
||||||
|
|
||||||
|
var prefix [8]byte
|
||||||
|
|
||||||
|
hash.Write(prefix[:])
|
||||||
|
hash.Write(mHash)
|
||||||
|
hash.Write(salt)
|
||||||
|
|
||||||
|
h = hash.Sum(h[:0])
|
||||||
|
hash.Reset()
|
||||||
|
|
||||||
|
// 7. Generate an octet string PS consisting of emLen - sLen - hLen - 2
|
||||||
|
// zero octets. The length of PS may be 0.
|
||||||
|
//
|
||||||
|
// 8. Let DB = PS || 0x01 || salt; DB is an octet string of length
|
||||||
|
// emLen - hLen - 1.
|
||||||
|
|
||||||
|
db[emLen-sLen-hLen-2] = 0x01
|
||||||
|
copy(db[emLen-sLen-hLen-1:], salt)
|
||||||
|
|
||||||
|
// 9. Let dbMask = MGF(H, emLen - hLen - 1).
|
||||||
|
//
|
||||||
|
// 10. Let maskedDB = DB \xor dbMask.
|
||||||
|
|
||||||
|
mgf1XOR(db, hash, h)
|
||||||
|
|
||||||
|
// 11. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in
|
||||||
|
// maskedDB to zero.
|
||||||
|
|
||||||
|
db[0] &= (0xFF >> uint(8*emLen-emBits))
|
||||||
|
|
||||||
|
// 12. Let EM = maskedDB || H || 0xbc.
|
||||||
|
em[emLen-1] = 0xBC
|
||||||
|
|
||||||
|
// 13. Output EM.
|
||||||
|
return em, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
|
||||||
|
// 1. If the length of M is greater than the input limitation for the
|
||||||
|
// hash function (2^61 - 1 octets for SHA-1), output "inconsistent"
|
||||||
|
// and stop.
|
||||||
|
//
|
||||||
|
// 2. Let mHash = Hash(M), an octet string of length hLen.
|
||||||
|
hLen := hash.Size()
|
||||||
|
if hLen != len(mHash) {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3. If emLen < hLen + sLen + 2, output "inconsistent" and stop.
|
||||||
|
emLen := (emBits + 7) / 8
|
||||||
|
if emLen < hLen+sLen+2 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
// 4. If the rightmost octet of EM does not have hexadecimal value
|
||||||
|
// 0xbc, output "inconsistent" and stop.
|
||||||
|
if em[len(em)-1] != 0xBC {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
// 5. Let maskedDB be the leftmost emLen - hLen - 1 octets of EM, and
|
||||||
|
// let H be the next hLen octets.
|
||||||
|
db := em[:emLen-hLen-1]
|
||||||
|
h := em[emLen-hLen-1 : len(em)-1]
|
||||||
|
|
||||||
|
// 6. If the leftmost 8 * emLen - emBits bits of the leftmost octet in
|
||||||
|
// maskedDB are not all equal to zero, output "inconsistent" and
|
||||||
|
// stop.
|
||||||
|
if em[0]&(0xFF<<uint(8-(8*emLen-emBits))) != 0 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
// 7. Let dbMask = MGF(H, emLen - hLen - 1).
|
||||||
|
//
|
||||||
|
// 8. Let DB = maskedDB \xor dbMask.
|
||||||
|
mgf1XOR(db, hash, h)
|
||||||
|
|
||||||
|
// 9. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in DB
|
||||||
|
// to zero.
|
||||||
|
db[0] &= (0xFF >> uint(8*emLen-emBits))
|
||||||
|
|
||||||
|
if sLen == PSSSaltLengthAuto {
|
||||||
|
FindSaltLength:
|
||||||
|
for sLen = emLen - (hLen + 2); sLen >= 0; sLen-- {
|
||||||
|
switch db[emLen-hLen-sLen-2] {
|
||||||
|
case 1:
|
||||||
|
break FindSaltLength
|
||||||
|
case 0:
|
||||||
|
continue
|
||||||
|
default:
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if sLen < 0 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero
|
||||||
|
// or if the octet at position emLen - hLen - sLen - 1 (the leftmost
|
||||||
|
// position is "position 1") does not have hexadecimal value 0x01,
|
||||||
|
// output "inconsistent" and stop.
|
||||||
|
for _, e := range db[:emLen-hLen-sLen-2] {
|
||||||
|
if e != 0x00 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if db[emLen-hLen-sLen-2] != 0x01 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 11. Let salt be the last sLen octets of DB.
|
||||||
|
salt := db[len(db)-sLen:]
|
||||||
|
|
||||||
|
// 12. Let
|
||||||
|
// M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt ;
|
||||||
|
// M' is an octet string of length 8 + hLen + sLen with eight
|
||||||
|
// initial zero octets.
|
||||||
|
//
|
||||||
|
// 13. Let H' = Hash(M'), an octet string of length hLen.
|
||||||
|
var prefix [8]byte
|
||||||
|
hash.Write(prefix[:])
|
||||||
|
hash.Write(mHash)
|
||||||
|
hash.Write(salt)
|
||||||
|
|
||||||
|
h0 := hash.Sum(nil)
|
||||||
|
|
||||||
|
// 14. If H = H', output "consistent." Otherwise, output "inconsistent."
|
||||||
|
if !bytes.Equal(h0, h) {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// signPSSWithSalt calculates the signature of hashed using PSS [1] with specified salt.
|
||||||
|
// Note that hashed must be the result of hashing the input message using the
|
||||||
|
// given hash function. salt is a random sequence of bytes whose length will be
|
||||||
|
// later used to verify the signature.
|
||||||
|
func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) (s []byte, err error) {
|
||||||
|
nBits := priv.N.BitLen()
|
||||||
|
em, err := emsaPSSEncode(hashed, nBits-1, salt, hash.New())
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
m := new(big.Int).SetBytes(em)
|
||||||
|
c, err := decryptAndCheck(rand, priv, m)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
s = make([]byte, (nBits+7)/8)
|
||||||
|
copyWithLeftPad(s, c.Bytes())
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
const (
|
||||||
|
// PSSSaltLengthAuto causes the salt in a PSS signature to be as large
|
||||||
|
// as possible when signing, and to be auto-detected when verifying.
|
||||||
|
PSSSaltLengthAuto = 0
|
||||||
|
// PSSSaltLengthEqualsHash causes the salt length to equal the length
|
||||||
|
// of the hash used in the signature.
|
||||||
|
PSSSaltLengthEqualsHash = -1
|
||||||
|
)
|
||||||
|
|
||||||
|
// PSSOptions contains options for creating and verifying PSS signatures.
|
||||||
|
type PSSOptions struct {
|
||||||
|
// SaltLength controls the length of the salt used in the PSS
|
||||||
|
// signature. It can either be a number of bytes, or one of the special
|
||||||
|
// PSSSaltLength constants.
|
||||||
|
SaltLength int
|
||||||
|
|
||||||
|
// Hash, if not zero, overrides the hash function passed to SignPSS.
|
||||||
|
// This is the only way to specify the hash function when using the
|
||||||
|
// crypto.Signer interface.
|
||||||
|
Hash crypto.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
// HashFunc returns pssOpts.Hash so that PSSOptions implements
|
||||||
|
// crypto.SignerOpts.
|
||||||
|
func (pssOpts *PSSOptions) HashFunc() crypto.Hash {
|
||||||
|
return pssOpts.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
func (opts *PSSOptions) saltLength() int {
|
||||||
|
if opts == nil {
|
||||||
|
return PSSSaltLengthAuto
|
||||||
|
}
|
||||||
|
return opts.SaltLength
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignPSS calculates the signature of hashed using RSASSA-PSS [1].
|
||||||
|
// Note that hashed must be the result of hashing the input message using the
|
||||||
|
// given hash function. The opts argument may be nil, in which case sensible
|
||||||
|
// defaults are used.
|
||||||
|
func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte, opts *PSSOptions) (s []byte, err error) {
|
||||||
|
saltLength := opts.saltLength()
|
||||||
|
switch saltLength {
|
||||||
|
case PSSSaltLengthAuto:
|
||||||
|
saltLength = (priv.N.BitLen()+7)/8 - 2 - hash.Size()
|
||||||
|
case PSSSaltLengthEqualsHash:
|
||||||
|
saltLength = hash.Size()
|
||||||
|
}
|
||||||
|
|
||||||
|
if opts != nil && opts.Hash != 0 {
|
||||||
|
hash = opts.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
salt := make([]byte, saltLength)
|
||||||
|
if _, err = io.ReadFull(rand, salt); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return signPSSWithSalt(rand, priv, hash, hashed, salt)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyPSS verifies a PSS signature.
|
||||||
|
// hashed is the result of hashing the input message using the given hash
|
||||||
|
// function and sig is the signature. A valid signature is indicated by
|
||||||
|
// returning a nil error. The opts argument may be nil, in which case sensible
|
||||||
|
// defaults are used.
|
||||||
|
func VerifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, opts *PSSOptions) error {
|
||||||
|
return verifyPSS(pub, hash, hashed, sig, opts.saltLength())
|
||||||
|
}
|
||||||
|
|
||||||
|
// verifyPSS verifies a PSS signature with the given salt length.
|
||||||
|
func verifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, saltLen int) error {
|
||||||
|
nBits := pub.N.BitLen()
|
||||||
|
if len(sig) != (nBits+7)/8 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
s := new(big.Int).SetBytes(sig)
|
||||||
|
m := encrypt(new(big.Int), pub, s)
|
||||||
|
emBits := nBits - 1
|
||||||
|
emLen := (emBits + 7) / 8
|
||||||
|
if emLen < len(m.Bytes()) {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
em := make([]byte, emLen)
|
||||||
|
copyWithLeftPad(em, m.Bytes())
|
||||||
|
if saltLen == PSSSaltLengthEqualsHash {
|
||||||
|
saltLen = hash.Size()
|
||||||
|
}
|
||||||
|
return emsaPSSVerify(hashed, em, emBits, saltLen, hash.New())
|
||||||
|
}
|
@ -1,637 +0,0 @@
|
|||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package openpgp
|
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/rsa"
|
|
||||||
"io"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"golang.org/x/crypto/openpgp/armor"
|
|
||||||
"golang.org/x/crypto/openpgp/errors"
|
|
||||||
"golang.org/x/crypto/openpgp/packet"
|
|
||||||
)
|
|
||||||
|
|
||||||
// PublicKeyType is the armor type for a PGP public key.
|
|
||||||
var PublicKeyType = "PGP PUBLIC KEY BLOCK"
|
|
||||||
|
|
||||||
// PrivateKeyType is the armor type for a PGP private key.
|
|
||||||
var PrivateKeyType = "PGP PRIVATE KEY BLOCK"
|
|
||||||
|
|
||||||
// An Entity represents the components of an OpenPGP key: a primary public key
|
|
||||||
// (which must be a signing key), one or more identities claimed by that key,
|
|
||||||
// and zero or more subkeys, which may be encryption keys.
|
|
||||||
type Entity struct {
|
|
||||||
PrimaryKey *packet.PublicKey
|
|
||||||
PrivateKey *packet.PrivateKey
|
|
||||||
Identities map[string]*Identity // indexed by Identity.Name
|
|
||||||
Revocations []*packet.Signature
|
|
||||||
Subkeys []Subkey
|
|
||||||
}
|
|
||||||
|
|
||||||
// An Identity represents an identity claimed by an Entity and zero or more
|
|
||||||
// assertions by other entities about that claim.
|
|
||||||
type Identity struct {
|
|
||||||
Name string // by convention, has the form "Full Name (comment) <email@example.com>"
|
|
||||||
UserId *packet.UserId
|
|
||||||
SelfSignature *packet.Signature
|
|
||||||
Signatures []*packet.Signature
|
|
||||||
}
|
|
||||||
|
|
||||||
// A Subkey is an additional public key in an Entity. Subkeys can be used for
|
|
||||||
// encryption.
|
|
||||||
type Subkey struct {
|
|
||||||
PublicKey *packet.PublicKey
|
|
||||||
PrivateKey *packet.PrivateKey
|
|
||||||
Sig *packet.Signature
|
|
||||||
}
|
|
||||||
|
|
||||||
// A Key identifies a specific public key in an Entity. This is either the
|
|
||||||
// Entity's primary key or a subkey.
|
|
||||||
type Key struct {
|
|
||||||
Entity *Entity
|
|
||||||
PublicKey *packet.PublicKey
|
|
||||||
PrivateKey *packet.PrivateKey
|
|
||||||
SelfSignature *packet.Signature
|
|
||||||
}
|
|
||||||
|
|
||||||
// A KeyRing provides access to public and private keys.
|
|
||||||
type KeyRing interface {
|
|
||||||
// KeysById returns the set of keys that have the given key id.
|
|
||||||
KeysById(id uint64) []Key
|
|
||||||
// KeysByIdAndUsage returns the set of keys with the given id
|
|
||||||
// that also meet the key usage given by requiredUsage.
|
|
||||||
// The requiredUsage is expressed as the bitwise-OR of
|
|
||||||
// packet.KeyFlag* values.
|
|
||||||
KeysByIdUsage(id uint64, requiredUsage byte) []Key
|
|
||||||
// DecryptionKeys returns all private keys that are valid for
|
|
||||||
// decryption.
|
|
||||||
DecryptionKeys() []Key
|
|
||||||
}
|
|
||||||
|
|
||||||
// primaryIdentity returns the Identity marked as primary or the first identity
|
|
||||||
// if none are so marked.
|
|
||||||
func (e *Entity) primaryIdentity() *Identity {
|
|
||||||
var firstIdentity *Identity
|
|
||||||
for _, ident := range e.Identities {
|
|
||||||
if firstIdentity == nil {
|
|
||||||
firstIdentity = ident
|
|
||||||
}
|
|
||||||
if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
|
|
||||||
return ident
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return firstIdentity
|
|
||||||
}
|
|
||||||
|
|
||||||
// encryptionKey returns the best candidate Key for encrypting a message to the
|
|
||||||
// given Entity.
|
|
||||||
func (e *Entity) encryptionKey(now time.Time) (Key, bool) {
|
|
||||||
candidateSubkey := -1
|
|
||||||
|
|
||||||
// Iterate the keys to find the newest key
|
|
||||||
var maxTime time.Time
|
|
||||||
for i, subkey := range e.Subkeys {
|
|
||||||
if subkey.Sig.FlagsValid &&
|
|
||||||
subkey.Sig.FlagEncryptCommunications &&
|
|
||||||
subkey.PublicKey.PubKeyAlgo.CanEncrypt() &&
|
|
||||||
!subkey.Sig.KeyExpired(now) &&
|
|
||||||
(maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) {
|
|
||||||
candidateSubkey = i
|
|
||||||
maxTime = subkey.Sig.CreationTime
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if candidateSubkey != -1 {
|
|
||||||
subkey := e.Subkeys[candidateSubkey]
|
|
||||||
return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true
|
|
||||||
}
|
|
||||||
|
|
||||||
// If we don't have any candidate subkeys for encryption and
|
|
||||||
// the primary key doesn't have any usage metadata then we
|
|
||||||
// assume that the primary key is ok. Or, if the primary key is
|
|
||||||
// marked as ok to encrypt to, then we can obviously use it.
|
|
||||||
i := e.primaryIdentity()
|
|
||||||
if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications &&
|
|
||||||
e.PrimaryKey.PubKeyAlgo.CanEncrypt() &&
|
|
||||||
!i.SelfSignature.KeyExpired(now) {
|
|
||||||
return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true
|
|
||||||
}
|
|
||||||
|
|
||||||
// This Entity appears to be signing only.
|
|
||||||
return Key{}, false
|
|
||||||
}
|
|
||||||
|
|
||||||
// signingKey return the best candidate Key for signing a message with this
|
|
||||||
// Entity.
|
|
||||||
func (e *Entity) signingKey(now time.Time) (Key, bool) {
|
|
||||||
candidateSubkey := -1
|
|
||||||
|
|
||||||
for i, subkey := range e.Subkeys {
|
|
||||||
if subkey.Sig.FlagsValid &&
|
|
||||||
subkey.Sig.FlagSign &&
|
|
||||||
subkey.PublicKey.PubKeyAlgo.CanSign() &&
|
|
||||||
!subkey.Sig.KeyExpired(now) {
|
|
||||||
candidateSubkey = i
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if candidateSubkey != -1 {
|
|
||||||
subkey := e.Subkeys[candidateSubkey]
|
|
||||||
return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true
|
|
||||||
}
|
|
||||||
|
|
||||||
// If we have no candidate subkey then we assume that it's ok to sign
|
|
||||||
// with the primary key.
|
|
||||||
i := e.primaryIdentity()
|
|
||||||
if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagSign &&
|
|
||||||
!i.SelfSignature.KeyExpired(now) {
|
|
||||||
return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true
|
|
||||||
}
|
|
||||||
|
|
||||||
return Key{}, false
|
|
||||||
}
|
|
||||||
|
|
||||||
// An EntityList contains one or more Entities.
|
|
||||||
type EntityList []*Entity
|
|
||||||
|
|
||||||
// KeysById returns the set of keys that have the given key id.
|
|
||||||
func (el EntityList) KeysById(id uint64) (keys []Key) {
|
|
||||||
for _, e := range el {
|
|
||||||
if e.PrimaryKey.KeyId == id {
|
|
||||||
var selfSig *packet.Signature
|
|
||||||
for _, ident := range e.Identities {
|
|
||||||
if selfSig == nil {
|
|
||||||
selfSig = ident.SelfSignature
|
|
||||||
} else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
|
|
||||||
selfSig = ident.SelfSignature
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
keys = append(keys, Key{e, e.PrimaryKey, e.PrivateKey, selfSig})
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, subKey := range e.Subkeys {
|
|
||||||
if subKey.PublicKey.KeyId == id {
|
|
||||||
keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// KeysByIdAndUsage returns the set of keys with the given id that also meet
|
|
||||||
// the key usage given by requiredUsage. The requiredUsage is expressed as
|
|
||||||
// the bitwise-OR of packet.KeyFlag* values.
|
|
||||||
func (el EntityList) KeysByIdUsage(id uint64, requiredUsage byte) (keys []Key) {
|
|
||||||
for _, key := range el.KeysById(id) {
|
|
||||||
if len(key.Entity.Revocations) > 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
if key.SelfSignature.RevocationReason != nil {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
if key.SelfSignature.FlagsValid && requiredUsage != 0 {
|
|
||||||
var usage byte
|
|
||||||
if key.SelfSignature.FlagCertify {
|
|
||||||
usage |= packet.KeyFlagCertify
|
|
||||||
}
|
|
||||||
if key.SelfSignature.FlagSign {
|
|
||||||
usage |= packet.KeyFlagSign
|
|
||||||
}
|
|
||||||
if key.SelfSignature.FlagEncryptCommunications {
|
|
||||||
usage |= packet.KeyFlagEncryptCommunications
|
|
||||||
}
|
|
||||||
if key.SelfSignature.FlagEncryptStorage {
|
|
||||||
usage |= packet.KeyFlagEncryptStorage
|
|
||||||
}
|
|
||||||
if usage&requiredUsage != requiredUsage {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
keys = append(keys, key)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DecryptionKeys returns all private keys that are valid for decryption.
|
|
||||||
func (el EntityList) DecryptionKeys() (keys []Key) {
|
|
||||||
for _, e := range el {
|
|
||||||
for _, subKey := range e.Subkeys {
|
|
||||||
if subKey.PrivateKey != nil && (!subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) {
|
|
||||||
keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file.
|
|
||||||
func ReadArmoredKeyRing(r io.Reader) (EntityList, error) {
|
|
||||||
block, err := armor.Decode(r)
|
|
||||||
if err == io.EOF {
|
|
||||||
return nil, errors.InvalidArgumentError("no armored data found")
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if block.Type != PublicKeyType && block.Type != PrivateKeyType {
|
|
||||||
return nil, errors.InvalidArgumentError("expected public or private key block, got: " + block.Type)
|
|
||||||
}
|
|
||||||
|
|
||||||
return ReadKeyRing(block.Body)
|
|
||||||
}
|
|
||||||
|
|
||||||
// ReadKeyRing reads one or more public/private keys. Unsupported keys are
|
|
||||||
// ignored as long as at least a single valid key is found.
|
|
||||||
func ReadKeyRing(r io.Reader) (el EntityList, err error) {
|
|
||||||
packets := packet.NewReader(r)
|
|
||||||
var lastUnsupportedError error
|
|
||||||
|
|
||||||
for {
|
|
||||||
var e *Entity
|
|
||||||
e, err = ReadEntity(packets)
|
|
||||||
if err != nil {
|
|
||||||
// TODO: warn about skipped unsupported/unreadable keys
|
|
||||||
if _, ok := err.(errors.UnsupportedError); ok {
|
|
||||||
lastUnsupportedError = err
|
|
||||||
err = readToNextPublicKey(packets)
|
|
||||||
} else if _, ok := err.(errors.StructuralError); ok {
|
|
||||||
// Skip unreadable, badly-formatted keys
|
|
||||||
lastUnsupportedError = err
|
|
||||||
err = readToNextPublicKey(packets)
|
|
||||||
}
|
|
||||||
if err == io.EOF {
|
|
||||||
err = nil
|
|
||||||
break
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
el = nil
|
|
||||||
break
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
el = append(el, e)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(el) == 0 && err == nil {
|
|
||||||
err = lastUnsupportedError
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// readToNextPublicKey reads packets until the start of the entity and leaves
|
|
||||||
// the first packet of the new entity in the Reader.
|
|
||||||
func readToNextPublicKey(packets *packet.Reader) (err error) {
|
|
||||||
var p packet.Packet
|
|
||||||
for {
|
|
||||||
p, err = packets.Next()
|
|
||||||
if err == io.EOF {
|
|
||||||
return
|
|
||||||
} else if err != nil {
|
|
||||||
if _, ok := err.(errors.UnsupportedError); ok {
|
|
||||||
err = nil
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if pk, ok := p.(*packet.PublicKey); ok && !pk.IsSubkey {
|
|
||||||
packets.Unread(p)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// ReadEntity reads an entity (public key, identities, subkeys etc) from the
|
|
||||||
// given Reader.
|
|
||||||
func ReadEntity(packets *packet.Reader) (*Entity, error) {
|
|
||||||
e := new(Entity)
|
|
||||||
e.Identities = make(map[string]*Identity)
|
|
||||||
|
|
||||||
p, err := packets.Next()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
var ok bool
|
|
||||||
if e.PrimaryKey, ok = p.(*packet.PublicKey); !ok {
|
|
||||||
if e.PrivateKey, ok = p.(*packet.PrivateKey); !ok {
|
|
||||||
packets.Unread(p)
|
|
||||||
return nil, errors.StructuralError("first packet was not a public/private key")
|
|
||||||
} else {
|
|
||||||
e.PrimaryKey = &e.PrivateKey.PublicKey
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if !e.PrimaryKey.PubKeyAlgo.CanSign() {
|
|
||||||
return nil, errors.StructuralError("primary key cannot be used for signatures")
|
|
||||||
}
|
|
||||||
|
|
||||||
var current *Identity
|
|
||||||
var revocations []*packet.Signature
|
|
||||||
EachPacket:
|
|
||||||
for {
|
|
||||||
p, err := packets.Next()
|
|
||||||
if err == io.EOF {
|
|
||||||
break
|
|
||||||
} else if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
switch pkt := p.(type) {
|
|
||||||
case *packet.UserId:
|
|
||||||
current = new(Identity)
|
|
||||||
current.Name = pkt.Id
|
|
||||||
current.UserId = pkt
|
|
||||||
e.Identities[pkt.Id] = current
|
|
||||||
|
|
||||||
for {
|
|
||||||
p, err = packets.Next()
|
|
||||||
if err == io.EOF {
|
|
||||||
return nil, io.ErrUnexpectedEOF
|
|
||||||
} else if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
sig, ok := p.(*packet.Signature)
|
|
||||||
if !ok {
|
|
||||||
return nil, errors.StructuralError("user ID packet not followed by self-signature")
|
|
||||||
}
|
|
||||||
|
|
||||||
if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
|
|
||||||
if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
|
|
||||||
return nil, errors.StructuralError("user ID self-signature invalid: " + err.Error())
|
|
||||||
}
|
|
||||||
current.SelfSignature = sig
|
|
||||||
break
|
|
||||||
}
|
|
||||||
current.Signatures = append(current.Signatures, sig)
|
|
||||||
}
|
|
||||||
case *packet.Signature:
|
|
||||||
if pkt.SigType == packet.SigTypeKeyRevocation {
|
|
||||||
revocations = append(revocations, pkt)
|
|
||||||
} else if pkt.SigType == packet.SigTypeDirectSignature {
|
|
||||||
// TODO: RFC4880 5.2.1 permits signatures
|
|
||||||
// directly on keys (eg. to bind additional
|
|
||||||
// revocation keys).
|
|
||||||
} else if current == nil {
|
|
||||||
return nil, errors.StructuralError("signature packet found before user id packet")
|
|
||||||
} else {
|
|
||||||
current.Signatures = append(current.Signatures, pkt)
|
|
||||||
}
|
|
||||||
case *packet.PrivateKey:
|
|
||||||
if pkt.IsSubkey == false {
|
|
||||||
packets.Unread(p)
|
|
||||||
break EachPacket
|
|
||||||
}
|
|
||||||
err = addSubkey(e, packets, &pkt.PublicKey, pkt)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
case *packet.PublicKey:
|
|
||||||
if pkt.IsSubkey == false {
|
|
||||||
packets.Unread(p)
|
|
||||||
break EachPacket
|
|
||||||
}
|
|
||||||
err = addSubkey(e, packets, pkt, nil)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
default:
|
|
||||||
// we ignore unknown packets
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(e.Identities) == 0 {
|
|
||||||
return nil, errors.StructuralError("entity without any identities")
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, revocation := range revocations {
|
|
||||||
err = e.PrimaryKey.VerifyRevocationSignature(revocation)
|
|
||||||
if err == nil {
|
|
||||||
e.Revocations = append(e.Revocations, revocation)
|
|
||||||
} else {
|
|
||||||
// TODO: RFC 4880 5.2.3.15 defines revocation keys.
|
|
||||||
return nil, errors.StructuralError("revocation signature signed by alternate key")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return e, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error {
|
|
||||||
var subKey Subkey
|
|
||||||
subKey.PublicKey = pub
|
|
||||||
subKey.PrivateKey = priv
|
|
||||||
p, err := packets.Next()
|
|
||||||
if err == io.EOF {
|
|
||||||
return io.ErrUnexpectedEOF
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
return errors.StructuralError("subkey signature invalid: " + err.Error())
|
|
||||||
}
|
|
||||||
var ok bool
|
|
||||||
subKey.Sig, ok = p.(*packet.Signature)
|
|
||||||
if !ok {
|
|
||||||
return errors.StructuralError("subkey packet not followed by signature")
|
|
||||||
}
|
|
||||||
if subKey.Sig.SigType != packet.SigTypeSubkeyBinding && subKey.Sig.SigType != packet.SigTypeSubkeyRevocation {
|
|
||||||
return errors.StructuralError("subkey signature with wrong type")
|
|
||||||
}
|
|
||||||
err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, subKey.Sig)
|
|
||||||
if err != nil {
|
|
||||||
return errors.StructuralError("subkey signature invalid: " + err.Error())
|
|
||||||
}
|
|
||||||
e.Subkeys = append(e.Subkeys, subKey)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
const defaultRSAKeyBits = 2048
|
|
||||||
|
|
||||||
// NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
|
|
||||||
// single identity composed of the given full name, comment and email, any of
|
|
||||||
// which may be empty but must not contain any of "()<>\x00".
|
|
||||||
// If config is nil, sensible defaults will be used.
|
|
||||||
func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) {
|
|
||||||
currentTime := config.Now()
|
|
||||||
|
|
||||||
bits := defaultRSAKeyBits
|
|
||||||
if config != nil && config.RSABits != 0 {
|
|
||||||
bits = config.RSABits
|
|
||||||
}
|
|
||||||
|
|
||||||
uid := packet.NewUserId(name, comment, email)
|
|
||||||
if uid == nil {
|
|
||||||
return nil, errors.InvalidArgumentError("user id field contained invalid characters")
|
|
||||||
}
|
|
||||||
signingPriv, err := rsa.GenerateKey(config.Random(), bits)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
encryptingPriv, err := rsa.GenerateKey(config.Random(), bits)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
e := &Entity{
|
|
||||||
PrimaryKey: packet.NewRSAPublicKey(currentTime, &signingPriv.PublicKey),
|
|
||||||
PrivateKey: packet.NewRSAPrivateKey(currentTime, signingPriv),
|
|
||||||
Identities: make(map[string]*Identity),
|
|
||||||
}
|
|
||||||
isPrimaryId := true
|
|
||||||
e.Identities[uid.Id] = &Identity{
|
|
||||||
Name: uid.Name,
|
|
||||||
UserId: uid,
|
|
||||||
SelfSignature: &packet.Signature{
|
|
||||||
CreationTime: currentTime,
|
|
||||||
SigType: packet.SigTypePositiveCert,
|
|
||||||
PubKeyAlgo: packet.PubKeyAlgoRSA,
|
|
||||||
Hash: config.Hash(),
|
|
||||||
IsPrimaryId: &isPrimaryId,
|
|
||||||
FlagsValid: true,
|
|
||||||
FlagSign: true,
|
|
||||||
FlagCertify: true,
|
|
||||||
IssuerKeyId: &e.PrimaryKey.KeyId,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
// If the user passes in a DefaultHash via packet.Config,
|
|
||||||
// set the PreferredHash for the SelfSignature.
|
|
||||||
if config != nil && config.DefaultHash != 0 {
|
|
||||||
e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)}
|
|
||||||
}
|
|
||||||
|
|
||||||
e.Subkeys = make([]Subkey, 1)
|
|
||||||
e.Subkeys[0] = Subkey{
|
|
||||||
PublicKey: packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),
|
|
||||||
PrivateKey: packet.NewRSAPrivateKey(currentTime, encryptingPriv),
|
|
||||||
Sig: &packet.Signature{
|
|
||||||
CreationTime: currentTime,
|
|
||||||
SigType: packet.SigTypeSubkeyBinding,
|
|
||||||
PubKeyAlgo: packet.PubKeyAlgoRSA,
|
|
||||||
Hash: config.Hash(),
|
|
||||||
FlagsValid: true,
|
|
||||||
FlagEncryptStorage: true,
|
|
||||||
FlagEncryptCommunications: true,
|
|
||||||
IssuerKeyId: &e.PrimaryKey.KeyId,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
e.Subkeys[0].PublicKey.IsSubkey = true
|
|
||||||
e.Subkeys[0].PrivateKey.IsSubkey = true
|
|
||||||
|
|
||||||
return e, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// SerializePrivate serializes an Entity, including private key material, to
|
|
||||||
// the given Writer. For now, it must only be used on an Entity returned from
|
|
||||||
// NewEntity.
|
|
||||||
// If config is nil, sensible defaults will be used.
|
|
||||||
func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) {
|
|
||||||
err = e.PrivateKey.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
for _, ident := range e.Identities {
|
|
||||||
err = ident.UserId.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
err = ident.SelfSignature.SignUserId(ident.UserId.Id, e.PrimaryKey, e.PrivateKey, config)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
err = ident.SelfSignature.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
for _, subkey := range e.Subkeys {
|
|
||||||
err = subkey.PrivateKey.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
err = subkey.Sig.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Serialize writes the public part of the given Entity to w. (No private
|
|
||||||
// key material will be output).
|
|
||||||
func (e *Entity) Serialize(w io.Writer) error {
|
|
||||||
err := e.PrimaryKey.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
for _, ident := range e.Identities {
|
|
||||||
err = ident.UserId.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
err = ident.SelfSignature.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
for _, sig := range ident.Signatures {
|
|
||||||
err = sig.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
for _, subkey := range e.Subkeys {
|
|
||||||
err = subkey.PublicKey.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
err = subkey.Sig.Serialize(w)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// SignIdentity adds a signature to e, from signer, attesting that identity is
|
|
||||||
// associated with e. The provided identity must already be an element of
|
|
||||||
// e.Identities and the private key of signer must have been decrypted if
|
|
||||||
// necessary.
|
|
||||||
// If config is nil, sensible defaults will be used.
|
|
||||||
func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error {
|
|
||||||
if signer.PrivateKey == nil {
|
|
||||||
return errors.InvalidArgumentError("signing Entity must have a private key")
|
|
||||||
}
|
|
||||||
if signer.PrivateKey.Encrypted {
|
|
||||||
return errors.InvalidArgumentError("signing Entity's private key must be decrypted")
|
|
||||||
}
|
|
||||||
ident, ok := e.Identities[identity]
|
|
||||||
if !ok {
|
|
||||||
return errors.InvalidArgumentError("given identity string not found in Entity")
|
|
||||||
}
|
|
||||||
|
|
||||||
sig := &packet.Signature{
|
|
||||||
SigType: packet.SigTypeGenericCert,
|
|
||||||
PubKeyAlgo: signer.PrivateKey.PubKeyAlgo,
|
|
||||||
Hash: config.Hash(),
|
|
||||||
CreationTime: config.Now(),
|
|
||||||
IssuerKeyId: &signer.PrivateKey.KeyId,
|
|
||||||
}
|
|
||||||
if err := sig.SignUserId(identity, e.PrimaryKey, signer.PrivateKey, config); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
ident.Signatures = append(ident.Signatures, sig)
|
|
||||||
return nil
|
|
||||||
}
|
|
Loading…
Reference in new issue